By Mike Mullins
One of the most valuable assets on an organization's network is the MySQL database that runs as a back-end to the Web server. Securing this indispensable information from data thieves is simple as long as you build security into your database deployment.
The first step to building a secure MySQL database is applying a basic security principle that's applicable to every process a remote user invokes. This principle is "define and confine."
Define your users
First, you must define a new user group and a user dedicated solely to running the database processes.
For UNIX or Linux systems, you can accomplish this by executing the following commands:
pw groupadd mysql
pw useradd mysql -c "MySQL Server" -d /dev/null -g mysql -s /sbin/nologin
For Windows Server 2000 or Windows Server 2003 systems, follow these steps:
Using a different user to run these processes is essential so you can confine your database processes. If an account or service compromise occurs because of an unpatched exploit, this can minimize exposure to the rest of your system.
Running MySQL What's your backup Strategy?
It is one thing to get your database up and running. Now that you have your MySQL server in production, what is your backup strategy and what are you using to back up your database?
An update from Ramon Padillia
Confine your users
Allowing a remote user to run a process on your server is inherently dangerous, but it happens every time you open a Web page or run a network application. The key to securing this remote access is limiting the local resource structure to a specific user process.
You can confine remote access to MySQL by running your database in a chroot environment. (Chroot changes the root directory and restricts a process to an isolated subset of the file system.)
Create the directory structure by executing the following:
mkdir -p /chroot/mysql/dev
mkdir -p /chroot/mysql/etc
mkdir -p /chroot/mysql/tmp
mkdir -p /chroot/mysql/var/tmp
mkdir -p /chroot/mysql/usr/local/mysql/libexec
mkdir -p /chroot/mysql/usr/local/mysql/share/mysql/English
Set access rights to the directory structure, and copy the source files created during your install, as shown below:
chown -R root:sys /chroot/mysql
chmod -R 755 /chroot/mysql
chmod 1777 /chroot/mysql/tmp
cp /usr/local/mysql/share/mysql/english/errmsg.sys /chroot/mysql/usr/local/mysql/share/mysql/english/
cp /etc/hosts /chroot/mysql/etc/
cp /etc/host.conf /chroot/mysql/etc/
cp /etc/resolv.conf /chroot/mysql/etc/
cp /etc/group /chroot/mysql/etc/
cp /etc/master.passwd /chroot/mysql/etc/passwords
cp /etc/my.cnf /chroot/mysql/etc/
Server 2000 or Windows Server 2003
Follow the installation instructions, and install the database on a separate drive from your system drive (typically C:). Remove the Everyone group, add the MySQL group, and give full control to the directory structure.
If your database is colocated on your Web server, you need to disable access to TCP port 3306. This eliminates direct attacks from remote connections.
A database is like any other application served over your network. Restrict the file processes and user accounts that run your application, and control the ports that are open. No software installation is secure—until you add that layer of protection.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.