A general "checklist" for securing MySQL/MariaDB varient relational databases in Linux

Introduction


I am back with a a new topic for this week! a couple of months ago, I was playing around with and testing out MySQL database here in Fedora, so that I can learn the ropes for it if I need to configure and use it someday! I decided to create a simple security "checklist" for the first blog entry this week, to help get you moving in the right direction, after reading some suggestions from the manual. Instead of going into a detailed fashion, about what exact steps you need to take to secure the database in the best possible fashion exactly, I am going to list some "general" purpose steps that you can take if you are building a LAMP stack for instance in Linux. Here is the list (It's not exhaustive), but I may or may not add more resources to it in the future! [1]

Common Security tips for securing MySQL/MariaDB databases:


  • Make sure that only certain individuals have "root" access to the database (see below)
  • Always put root passwords into the DB (even if you just using the server as a "test" server and not a live production one)
  • Make sure all of the passwords in the database are encrypted with SHA-2 algorithm or better (MD5 and SHA-1 are no longer collision resistant!)
  • Make sure, in whatever server side language you are using to access MySQL/MariaDB, including PHP, RoR, or Python that you are using either filter functions or regular expressions to "drop" any illegal database queries and prevent SQL injection and XSS attacks! Even relatively simple ones. 
  • If you choose to use SSL 3.0/TLS 1.3 at the transport layer with the database make sure AES with a 256-bit key is being used along with signed CA certificates, from a TRUSTED CA.
  • If you choose not use SSL 3.0/TLS 1.3 at the transport layer with the database make sure the AES-128 algorithm is used SPARINGLY on certain database queries (due to performance and speed issues), unless your running it the cloud with AWS or Azure.
  • Always make sure to perform backups of the database using sqldumper or similar tools in Linux, excluding running them in the cloud with AWS or Azure (they often don't mention this in System Admin books)
  • If you are an "advanced" user consider setting up a web-based Intrusion Detection System (IDS) on top of the database to "alert" you of any attempts at SQL injection or XSS attacks on the database itself. 
  • If your an "advanced" user, using Debian / Fedora / CentOS / Red Hat for running your server, consider isolating the MySQL/MariaDB daemon within a sandboxed Docker container, even inside of virtual machines.
  • If you are an "advanced" user, using Debian / Fedora / CentOS / Red Hat for running your server consider using SELinux in "enforcing mode" on the MySQL/MariaDB daemon, even inside of virtual machines.

That should cover you on all the bases! I am going to add more references to the list below, as I continue to find more good books and manuals on database security. In the meantime, if you are a DBA or Systems Admin I strongly recommend you use the guidelines above for securing your server! failure to "cut corners" may lead to a data breach (in the case of LinkedIn breach in 2012, this was exactly what happened. The developers were using MD5 and SHA-1 to hash the passwords which are not collision resistant, coupled with the fact that most users passwords were "very weak". Most passwords were less then 10 characters, using alpha-numerics). I hope you enjoyed this weeks entry. I will be back in a couple of days or next week, with a new entry. In the meantime, I will attempt to update this list with more database books and manuals, if I come across some good ones that are thorough!

Reference:



1. MySQL 5.5. "Security in MySQL" http://dev.mysql.com/doc/mysql-security-excerpt/5.5/en/index.html accessed 10 Dec 2012. 2012

Comments

Popular posts from this blog

Encoding Opus files in Linux with opusenc for your own collection and HTML 5

Encoding Vorbis files in Linux using oggenc for your own music collection and HTML 5

Transcoding with Theora 1.1/1.2 using ffmpeg2theora 0.28 or better for your own collection in Linux and HTML 5 video