By Mike Mullins
One of the most valuable assets on an
organization’s network is the MySQL database that runs as a
back-end to the Web server. Securing this indispensable information
from data thieves is simple as long as you build security into your
The first step to building a secure MySQL
database is applying a basic security principle that’s applicable
to every process a remote user invokes. This principle is “define
Define your users
First, you must define a new user group and a
user dedicated solely to running the database processes.
For UNIX or Linux systems, you can accomplish
this by executing the following commands:
pw groupadd mysql
pw useradd mysql -c “MySQL Server” -d /dev/null -g mysql -s /sbin/nologin
For Windows Server 2000 or Windows Server 2003
systems, follow these steps:
- Go to Start | Settings | Control Panel.
- Double-click Administrative Tools, and
double-click Computer Management.
- Expand Local Users And Groups.
- Right-click Groups, and select New Group.
- Create the MySQL group.
- Right-click Users, and select New User.
- Create the MySQL user, and give it a complex
password that won’t expire and that the user can’t change.
- After creating the MySQL user, open the
account’s properties, add it as a member of the MySQL group, and
remove its membership from the User group.
- Close Computer Management, and double-click
Local Security Settings.
- Expand Local Policies, and select User Rights
- Double-click Access This Computer From The
Network, and add the MySQL group.
- Double-click Log On As A Batch Job, and add
the MySQL group.
Using a different user to run these processes
is essential so you can confine your database processes. If an
account or service compromise occurs because of an unpatched
exploit, this can minimize exposure to the rest of your system.
What’s your backup Strategy?
It is one
thing to get your database up and running. Now that you have your MySQL
server in production, what is your backup strategy and what are
you using to back up your database?
Here are a
few articles that may prove helpful.
An update from Ramon Padillia
Confine your users
Allowing a remote user to run a process on your
server is inherently dangerous, but it happens every time you open
a Web page or run a network application. The key to securing this
remote access is limiting the local resource structure to a
specific user process.
You can confine remote access to MySQL by
running your database in a chroot environment. (Chroot changes the
root directory and restricts a process to an isolated subset of the
Create the directory structure by executing the following:
mkdir -p /chroot/mysql/dev
mkdir -p /chroot/mysql/etc
mkdir -p /chroot/mysql/tmp
mkdir -p /chroot/mysql/var/tmp
mkdir -p /chroot/mysql/usr/local/mysql/libexec
mkdir -p /chroot/mysql/usr/local/mysql/share/mysql/English
Set access rights to the directory structure,
and copy the source files created during your install, as shown
chown -R root:sys /chroot/mysql
chmod -R 755 /chroot/mysql
chmod 1777 /chroot/mysql/tmp
cp /usr/local/mysql/share/mysql/english/errmsg.sys /chroot/mysql/usr/local/mysql/share/mysql/english/
cp /etc/hosts /chroot/mysql/etc/
cp /etc/host.conf /chroot/mysql/etc/
cp /etc/resolv.conf /chroot/mysql/etc/
cp /etc/group /chroot/mysql/etc/
cp /etc/master.passwd /chroot/mysql/etc/passwords
cp /etc/my.cnf /chroot/mysql/etc/
Server 2000 or Windows Server 2003
Follow the installation instructions, and install the database
on a separate drive from your system drive (typically C:). Remove
the Everyone group, add the MySQL group, and give full control to
the directory structure.
If your database is colocated on your Web
server, you need to disable access to TCP port 3306. This
eliminates direct attacks from remote connections.
A database is like any other application served
over your network. Restrict the file processes and user accounts
that run your application, and control the ports that are open. No
software installation is secure–until you add that layer of
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.