Tech Tip: Secure a MySQL database

Here's how to secure a MySQL database.

By Mike Mullins

One of the most valuable assets on an organization's network is the MySQL database that runs as a back-end to the Web server. Securing this indispensable information from data thieves is simple as long as you build security into your database deployment.

The first step to building a secure MySQL database is applying a basic security principle that's applicable to every process a remote user invokes. This principle is "define and confine."

Define your users

First, you must define a new user group and a user dedicated solely to running the database processes.

For UNIX or Linux systems, you can accomplish this by executing the following commands:

pw groupadd mysql
pw useradd mysql -c "MySQL Server" -d /dev/null -g mysql -s /sbin/nologin

For Windows Server 2000 or Windows Server 2003 systems, follow these steps:

  1. Go to Start | Settings | Control Panel.
  2. Double-click Administrative Tools, and double-click Computer Management.
  3. Expand Local Users And Groups.
  4. Right-click Groups, and select New Group.
  5. Create the MySQL group.
  6. Right-click Users, and select New User.
  7. Create the MySQL user, and give it a complex password that won't expire and that the user can't change.
  8. After creating the MySQL user, open the account's properties, add it as a member of the MySQL group, and remove its membership from the User group.
  9. Close Computer Management, and double-click Local Security Settings.
  10. Expand Local Policies, and select User Rights Assignment.
  11. Double-click Access This Computer From The Network, and add the MySQL group.
  12. Double-click Log On As A Batch Job, and add the MySQL group.

Using a different user to run these processes is essential so you can confine your database processes. If an account or service compromise occurs because of an unpatched exploit, this can minimize exposure to the rest of your system.

Running MySQL What's your backup Strategy?

It is one thing to get your database up and running. Now that you have your MySQL server in production, what is your backup strategy and what are you using to back up your database?

Here are a few articles that may prove helpful.
MySQL - Daily database dumps, all nicely sorted
MySQL Database Backup
Hot Backup Plugin

An update from Ramon Padillia

Confine your users

Allowing a remote user to run a process on your server is inherently dangerous, but it happens every time you open a Web page or run a network application. The key to securing this remote access is limiting the local resource structure to a specific user process.

You can confine remote access to MySQL by running your database in a chroot environment. (Chroot changes the root directory and restricts a process to an isolated subset of the file system.)

UNIX and Linux systems
Create the directory structure by executing the following:

mkdir -p /chroot/mysql/dev
mkdir -p /chroot/mysql/etc
mkdir -p /chroot/mysql/tmp
mkdir -p /chroot/mysql/var/tmp
mkdir -p /chroot/mysql/usr/local/mysql/libexec
mkdir -p /chroot/mysql/usr/local/mysql/share/mysql/English

Set access rights to the directory structure, and copy the source files created during your install, as shown below:

chown -R root:sys /chroot/mysql
chmod -R 755 /chroot/mysql
chmod 1777 /chroot/mysql/tmp

cp /usr/local/mysql/libexec/mysqld/chroot/mysql/usr/local/mysql/libexec/
cp /usr/local/mysql/share/mysql/english/errmsg.sys /chroot/mysql/usr/local/mysql/share/mysql/english/
cp /etc/hosts /chroot/mysql/etc/
cp /etc/host.conf /chroot/mysql/etc/
cp /etc/resolv.conf /chroot/mysql/etc/
cp /etc/group /chroot/mysql/etc/
cp /etc/master.passwd /chroot/mysql/etc/passwords
cp /etc/my.cnf /chroot/mysql/etc/

Windows Server 2000 or Windows Server 2003
Follow the installation instructions, and install the database on a separate drive from your system drive (typically C:). Remove the Everyone group, add the MySQL group, and give full control to the directory structure.

If your database is colocated on your Web server, you need to disable access to TCP port 3306. This eliminates direct attacks from remote connections.

Final thoughts

A database is like any other application served over your network. Restrict the file processes and user accounts that run your application, and control the ports that are open. No software installation is secure--until you add that layer of protection.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.