hardening

sql

5 Steps to hardedning your MySQL database

  • Setup with mysql_secure_installation - takes care of most of this for you!
  • Set strong passwords and change default passwords

    • sudo mysqladmin password
    • Unfortunately, MySQL runs background tasks as that root user. These tasks will break once you set a password, unless you take the additional step of hard-coding the password into the root.my.cnf file:
    [mysqladmin]
    user = root
    password = yourpassword
    

    Make sure to restrict access to that file

    $ sudo chown root:root /root/.my.cnf
    $ sudo chmod 0600 /root/.my.cnf
    
  • Remove unnecessary users

    • Remove anonymous user
    > drop user “”@”localhost”;
    > flush privileges;
    
  • Only grant access to the needed databases

    > grant all privileges on mydb.* to someuser@”localhost” identified by ‘astrongpassword’;
    > flush privileges;
    
    • You can also grant specific privileges (select, drop, delete, etc.)
  • Enable TLS

    • Once you have valid certs, add this to my.cnf
    [mysqld]
    ssl-ca=/path/to/ca.crt
    ssl-cert=/path/to/server.crt
    ssl-key=/path/to/server.key
    
    • Also, make sure the SSL cipher suites are strong ones

Harden MySQL Server

  • Set connection error limit
    • Bans people after x failed login attempts
    • Edit the configuration file my.cnf and set max_connect_errors:
      • max_connect_errors = 5
  • Disable load data local infile
    • The LOAD DATA LOCAL INFILE command allows users, or an attacker, to read local files and even access other files on the operating system.
    • Edit the configuration file my.cnf and set local-infile:
      • local-infile=0
  • Disable show databases

    • Edit my.cnf and add skip-show-database to the `[mysqld]`` section:
    [mysqld]
    skip-show-database
    
  • Bind MySQL to localhost
    • Edit my.cnf:
      • bind-address = 127.0.0.1
  • Privilege hardening
    • Each application that uses MySQL should have its own user that only has limited privileges and only has access to the databases it needs to run.
    • Never use ALL TO ..
    • never use % for a hostname
    • application user permissions should be restrictive as possible
    • only allow super privileges to dba accounts, and localhost
    • never ever give users global privileges, except for root, backup user, monitoring user, replication user
    • Take extra caution when granting SUPER or FILE privileges: SUPER can modify runtime configuration and become other users, FILE allows reading or writing files as MySQL process
  • rename root user

    RENAME USER 'root'@'localhost' TO 'foobar'@'localhost';
    FLUSH PRIVILEGES;
    

tools

  • flan - flan scan is a lightweight network vulnerability scanner.