Wednesday, March 6, 2013

Tips on securing MySQL database

Security of any database is very important and MySQL is no different. Here I am describing some basic security tips that every DBA should follow to protect MySQL database.

  1. Change the default password: At the time of installation of MySQL the username of your web account is taken as default username and password. Later, you can change your password instead of using the default one to secure your database.
  2. Disable remote access: To prevent access of your database from hackers it is better to restrict remote access. If you can't disable remote access then make sure only defined host can access the database server. It can easily be done through TCP/IP connection or firewall.
  3. Don't use LOCAL INFILE: Although “LOAD DATA LOCAL INFILE” is a great command when used in TEST or QA environment. But it is not good for production environment. Using this command you can load a file from client to MySQL host server but the drawback of this command is that even client can load any file(with read access) to MySQL server. You can disable this command by adding the following parameter in the [mysqld] section:
    set – variable=local -infile=0
  4. Limit system privileges: To protect your database from outside security threats give minimal permission to users. Be aware while giving permissions to developers because they use the system maximum permissions and this practice can expose your database to various security risks. Make sure that only 'mysql' and 'root' users can access /var/lib/mysql directory.
  5. Delete history: At the time of installation of MySQL a lot of crucial information is stored in server history which can be useful when you need to fix the things that goes wrong during installation. You should delete this history once installation is complete. Also delete '.mysql_history' as it contains passwords of previous sessions.
  6. Delete the 'test' database: Test database comes with MySQL and can be accessed by any user so it is recommended to delete it from database. Use below command to remove the test database:
    set – variable=local -infile=0
  7. Limit the access of user table: Only DBA have the right to access 'user' table. Make sure to give access of 'user' table only to root user and administrative account.
  8. Special permissions: Only 'root' user is allowed to access PROCESS, SHUTDOWN, SUPER and FILE command.
  9. Avoid plain text passwords: Don't make the mistake of storing plain text password for your database. Anybody can easily hack plain text passwords. Use a complex password consists of numbers, characters and special symbols.
  10. Update MySQL: Update your database with all the latest security patches to avoid security threats.

No comments:

Post a Comment