In an ever-changing technology landscape, it is critical for companies and individuals to know a list of best practices that they can use on whatever technology that supports their database. As you already know, the majority of the world’s websites are built on MySQL or their flavors – Percona Server or MariaDB.
If you’ve been running MySQL behind your web infrastructure for a while, you already know some of the security basics that MySQL comes with. MySQL DBAs advise you to run mysql_secure_installation (or mariadb_secure_installation) upon the installation of MySQL or MariaDB in order to improve the security of your database instances upon installation by allowing you to set a password for root accounts, removing the root accounts that are accessible from the local host, remove anonymous user accounts, and removing the test database which by default can be accessed by anonymous users, but that’s only the basics.
Setting a password for all of your accounts is, of course, a good security practice, but if you want to ensure that your MySQL databases stay performant and, most importantly, secure, against all of the modern-day threats, there are a couple of additional tips and tricks you need to follow.
A proper security checklist consists of way more than just setting a password for your accounts. Depending on the version of MySQL you are running, the MySQL checklist for your databases may encompass the following:
First of all, proper access control is necessary to allow only the people with proper knowledge and requirements to access, read, or modify data in a database. The security of users goes hand in hand with the prior statement – strong passwords will help, but if at least some of your users are compromised, privileges are what saves your database from complete destruction. A user that is able to only read from a database, but not write to it, won’t be able to do much harm. Privileges also go hand in hand with roles – a role essentially is a collection of privileges and users can have roles granted and revoked from them which means that if you assign some privilege to a role and then assign the role to a user, you essentially enable that user to perform a specific set of actions.
If you’re running newer versions of MySQL (version 8 and higher), keep in mind that MySQL also supports account locking and unlocking when using the ACCOUNT LOCK and ACCOUNT UNLOCK statements – locking a specific user account may be necessary when your employee is on vacation, and, when an account is locked and someone tries to access it, MySQL will return an error:
Access denied for user ‘user’@’host’. Account is locked.
Employing enterprise plugins will save your database from sophisticated attackers as MySQL is able to provide an enterprise firewall that is able to fend off all kinds of attacks, and making use of the backup features offered by MySQL will ensure that once your database goes down, gets corrupted, or anything else happens to it, your data is always safe.
“In theory, it all sounds great”, we hear you saying, however, how does the security checklist compete against threats in the real world? Allow us to walk you through each step of defense one by one:
And to lock a user that has already been created, use the ALTER USER query like so:
ALTER USER demo_user IDENTIFIED BY ‘your_password’ ACCOUNT LOCK;
Moving from top to the bottom, securing your users, taking care of password security, privileges, roles, and backups will certainly put your database security towards the next level security highway, but if you find yourself securing an organization, there are a couple of additional things you need to consider.
When securing an organization, taking care of passwords, privileges and a couple of roles won’t be enough: for that, you need to either employ enterprise-level plugins or services from outside like BreachDirectory and the like. Let us explain:
Securing a relational database management system like MySQL or its flavors like MariaDB or Percona Server is never an easy task – however, with the right amount of necessary knowledge, you can make your databases sing!
We hope that this blog post has provided your team with the necessary knowledge to secure your databases – make sure to run a search through BreachDirectory to see if you or anybody you know is at risk of identity theft, implement the API offering into your infrastructure, and until next time!
There have been rumors about a data breach targeting Schneider Electric. Did a data breach…
There have been rumors about the Fiskars Group – the company behind Fiskars scissors and…
Russia has fined Google more than two undecillion roubles because Google has refused to pay…
Why does RockYou 2024.txt look like a binary file when you open it up? Find…
Duolicious is a dating app that connects people who are “chronically online.” Did the Duolicious…
This blog will tell you what RockYou 2024 is, how RockYou 2024.txt came to be,…