MySQL in production: looking for security? (continue)

Following up on this entry, here are some more best practices to secure MySQL in a production environment.

But before moving forward, let me pay credit to Lenz Grimmer who provided me with the most part of this information. More can be found about MySQL on his blog.

After setting a password for the MySQL root account and removing the test database and anonymous account you can also limit the remote access to MySQL to a specific host. You do this by setting the bind-address attribute in the /etc/mysql/my.cnf file to the host ip-address:

bind-address=ip-address

If you set bind-address to 127.0.0.1, which is the loopback address, then  MySQL only accepts connections from the host where it runs.

If you uncomment skip-networking in my.cnf MySQL only accepts connection from the Unix socket domain: the result is similar to setting bind-address ot 127.0.0.1: MySQL only accepts connection from the localhost.

To limit damages that could be done to the system by hacking into MySQL, always run the mysqld daemon with a non-privileged user account. A good practice is to create a mysql Unix user dedicated to running mysqld.

Becoming even more secure, restrict access to the mysql.user table to the root user so that no one else can grant access to new users (as a reminder, only users listed in this table can actually connect to MySQL). Use "SELECT \* FROM mysql.user" to obtain the list of MySQL users, and use "SHOW GRANTS [FOR user]" to see a user privileges.

As per data security, do not store plain-text passwords in the database. Use MD5(), SHA1() or some other one-way hashing function instead.
Comments:

"As per data security, do not store plain-text passwords in the database. Use MD5(), SHA1() or some other one-way hashing function instead."

WRONG. Raw hashes are effectively equivalent to passwords given modern hardware and pre-compiled "rainbow table" attacks.

Use something secure like bcrypt. (Google "bcrypt password")

Posted by Ben on September 12, 2008 at 10:20 AM BST #

Post a Comment:
Comments are closed for this entry.
About

Connecting the Startup Essentials community with all the events, information and resources required for them to grow and scale.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today