mysql dba training session 16 securing mysql server

MySQL DBA Training Session 16. Securing MySQL ServerRAM N SANGWAN

WWW.RNSANGWAN.COM

YOUTUBE CHANNEL : HTTP://YOUTUBE.COM/USER/THESKILLPEDIA

TO LEARN OR TEACH JOIN WWW.THESKILLPEDIA.COM

WWW.RNSANGWAN.COM 1

http://www.rnsangwan.com/

http://youtube.com/user/theskillpedia

http://www.theskillpedia.com/

Who am I?

• Corporate Trainer

• More than 25 Years of Experience.

• More than 50 Technologies

• Managing Alliance Softech Pvt Ltd as Managing Director

• Running More than 300 Live Websites

• Major Technologies

◦ RDBMS : MySQL, Sybase (Now SAP ASE), DB2, Oracle, SQL Server, SAP HANA

◦ Linux : Virtualization, High Availability, Deployment

◦ PHP, Perl, Python

◦ Storage Technologies

◦ Many More…

WWW.RNSANGWAN.COM 2

About this Session

• Security Issues

• Operating System Security

• Filesystem Security

• Securing Mysql Installation

• Securing the MySQL Service

• Log Files and Security

• Network Security

• Securing the Initial MySQL Accounts

WWW.RNSANGWAN.COM 3

About this Session Contd..

• Setup Passwords for accounts

• Ready Script to secure your installation

• General Privilege Precautions

• Restricting the Server's Network Interfaces

• Upgrading the Privilege Tables

• Fixing Privileges through Script provided

• Security- SQL Mode Values

WWW.RNSANGWAN.COM 4

Security Issues

• Operating system security risks.

• Filesystem security risks.

• Network security risks.

WWW.RNSANGWAN.COM 5

Operating System Security

• Minimize the number of tasks that the server host is used for.

• It is best if the MySQL server machine is used exclusively for MySQL.

◦ No need to have login accounts except the system administrative accounts.

• Closing ports minimizes the number of avenues of attack to which the host is

exposed.

• There is also a performance benefit to minimizing the number of non-MySQL

services:

◦ More of the system's resources can be devoted to MySQL.

WWW.RNSANGWAN.COM 6

Filesystem Security

• All components of a MySQL installation should be owned by a login accountwith proper administrative privileges.

• The installation should be accessible to other users only to the extentnecessary.

• For this set up a dedicated login account to use for administering MySQL andgive that account ownership of the relevant files.

• An additional benefit of setting up this account is that you can use it to run theMySQL server, rather than running the server from the Unix root account.

WWW.RNSANGWAN.COM 7

Filesystem Security Contd..

• Every MySQL- related directory and file should have its user and groupownerships set to mysql.

• Files that only the server should be able to access should be owned by themysql account and readable only by it.

• Exceptions are : Unix socket file, global option files, error message files,language files, and character set files.

• In most cases, it's reasonable for client programs and other utilities to beworld-executable so that other users with login accounts on the system canrun them.

WWW.RNSANGWAN.COM 8

Securing Mysql Installation

• The chown and chgrp commands should be run as the system root user

because only root can assign directory and file ownership.

# chown -R mysql /usr/share/mysql

# chgrp -R mysql /usr/share/mysql

# chmod u=rwx,go=rx /usr/share/mysql

# chmod u=rwx,go=rx /usr/share/mysql/bin

(If applicable. Check your installation Tree)

# chmod -R go-rwx /var/lib/mysql/

(..check your data directory)

WWW.RNSANGWAN.COM 9

Securing Mysql Installation Contd..

• You should also protect the global option file, /etc/my.cnf, if it exists.

• The mysql user should own it and have read/write access to it, but other usersneed only read access:

# chown mysql /etc/my.cnf

# chgrp mysql /etc/my.cnf

# chmod u=rw,go=r /etc/my.cnf

WWW.RNSANGWAN.COM 10

Securing the MySQL Service

• You should start mysql service as root with a --user=mysql option.

• If you have the server set to start automatically during the system bootsequence, then put the --user option in an option file, /etc/my.cnf :

[mysqld]

user=mysql

• Each MySQL user on Unix that has a personal option file (~/.my.cnf).

• To protect this file each should use:

# chmod u=rw,go-rwx ~/.my.cnf


Log Files and Security

• You should keep the log contents secret.

• Log exposure constitutes a security risk that must be addressed by protectingthe log files, but logs also play a role in enhancing security:

• The binary log is needed for data security & recovery operations.

• The general query log gives you information about what clients are connecting,which may be helpful in detecting instances of malicious activity and determiningtheir source.


Network Security

• It's important to make sure that only authorized clients can connect to theserver to access its databases.

• You should make sure that MySQL accounts are protected with passwordsand do not have unnecessary privileges.


Securing the Initial MySQL Accounts

• MySQL Server controls client access using the mysql database, whichcontains the grant tables.

• Privileges listed in the grant tables are tied to accounts, each of which isdefined by a username and a hostname.

• The MySQL installation procedure sets up one or more initial accounts in thegrant tables.

• By default, these accounts have no passwords at first.

• The grant tables may also contain anonymous- user accounts that have ablank username and that can be used by anyone.


Setup Passwords for accounts

• Use the GRANT statement

• Use the SET PASSWORD statement

• Use the mysqladmin password command

• Modify the grant tables directly with the UPDATE statement


Setup Passwords for accounts Contd..

• Initially, assuming that the root accounts have no password, you can connectas follows without specifying a password option:

# mysql -u root mysql

• Account names and passwords are stored in the user table of the mysqldatabase.

• Modify any user table records for root to assign a password.

mysql> UPDATE user SET Password = PASSWORD(‘Z*sb7U#$') WHEREUser ='root';


Setup Passwords for accounts Contd..

• Remove any anonymous accounts:

mysql> DELETE FROM user WHERE User ='';

mysql> DELETE FROM db WHERE User ='';

• To see what effect the preceding operations have on the user table:

mysql> SELECT Host, User, Password FROM user;

• Finally, flush the grant tables:

mysql> FLUSH PRIVILEGES;


Ready Script to secure your installation

• MySQL comes with a mysql_secure_installation script with followingcapabilities:

• Set a password for the root accounts.

• Remove any remotely accessible root accounts.

• Remove the anonymous-user accounts.

• Remove the test database.


General Privilege Precautions

• Don't grant privileges for the mysql database.

• Be selective about granting administrative privileges.

◦ The FILE privilege allows users to cause the MySQL server to read and

write files in the server host filesystem.

◦ The PROCESS privilege allows use of SHOW PROCESSLIST to see all

client threads.

Output from this statement shows the statements that clients are executing,

which exposes data.

◦ The SUPER privilege allows a client to kill other client connections or to

change the runtime configuration of the server.


Restricting the Server's Network Interfaces

• Disable TCP/IP connections by starting the server with the --skip-networkingoption.

• For Unix servers, this is not an issue, because the Unix socket file is alwaysavailable.

• Place the following lines in an option file:

[mysqld]

bind-address=127.0.0.1


Upgrading the Privilege Tables

• As MySQL development proceeds, it sometimes occurs that new privilegesare implemented to go along with new features.

• For example, in MySQL 5, new features include stored routines and views,each of which is accompanied by privileges CREATE ROUTINE and CREATEVIEW


Fixing Privileges through Script provided

Run mysql_fix_privilege_tables to upgrade your grant tables program:

1. Make a backup of your mysql database:

# mysqldump mysql > mysql.sql

2. Run it using:

# mysql_fix_privilege_tables --password=root_password

When you run mysql_fix_privilege_tables, Duplicate column name errorsmight occur and can be ignored.

3. After upgrading the grant tables, stop the server and restart it.

4. Consider whether any of your MySQL accounts should be given the newprivileges.


Security- SQL Mode Values

• New SQL mode values are implemented from time to time.

• By default, new mode values are not enabled by default as part of yourserver's SQL mode.

• You can run the server in that mode by putting the following lines in an optionfile:

[mysqld]

sql-mode=TRADITIONAL


SQL Mode Values Contd..

• Strict mode enables general input value restrictions. Strict mode is enabledusing the STRICT_ALL_TABLES and STRICT_TRANS_TABLES modevalues.

• Division by zero can be treated as an error for data entry by enabling theERROR_FOR_DIVISION_BY_ZERO mode value and strict mode.

• By default, MySQL requires that the month and day values correspond to anactual legal date, except that it allows "zero" dates (' 0000-00-00') and datesthat have zero parts ('2009-12-00',' 2009-00-01').

• Zero dates and dates with zero parts are allowed, even in strict mode.

• To prohibit such dates, enable strict mode and the NO_ZERO_DATE andNO_ZERO_IN_DATE mode values.


SQL Mode Values Contd..

• The TRADITIONAL mode value is a composite mode that enables strict modeas well as the other restrictions.

• If you want your MySQL server to be as restrictive as possible about inputdata checking, the simplest way to achieve this is to enable TRADITIONALmode rather than a list of individual more-specific modes.


Thank You


• ls -la /var/lib/mysql/

• PURGE BINARY LOGS TO 'mysql-bin.010';

• PURGE BINARY LOGS BEFORE '2008-04-02 22:46:26';

• PURGE BINARY LOGS BEFORE NOW();


mysql dba training session 16 securing mysql server

Education