By Mike Mullins

One of the most valuable assets on an
organization’s network is the MySQL database that runs as a
back-end to the Web server. Securing this indispensable information
from data thieves is simple as long as you build security into your
database deployment.

The first step to building a secure MySQL
database is applying a basic security principle that’s applicable
to every process a remote user invokes. This principle is “define
and confine.”

Define your users

First, you must define a new user group and a
user dedicated solely to running the database processes.

For UNIX or Linux systems, you can accomplish
this by executing the following commands:

pw groupadd mysql
pw useradd mysql -c “MySQL Server” -d /dev/null -g mysql -s /sbin/nologin

For Windows Server 2000 or Windows Server 2003
systems, follow these steps:

  1. Go to Start | Settings | Control Panel.
  2. Double-click Administrative Tools, and
    double-click Computer Management.
  3. Expand Local Users And Groups.
  4. Right-click Groups, and select New Group.
  5. Create the MySQL group.
  6. Right-click Users, and select New User.
  7. Create the MySQL user, and give it a complex
    password that won’t expire and that the user can’t change.
  8. After creating the MySQL user, open the
    account’s properties, add it as a member of the MySQL group, and
    remove its membership from the User group.
  9. Close Computer Management, and double-click
    Local Security Settings.
  10. Expand Local Policies, and select User Rights
    Assignment.
  11. Double-click Access This Computer From The
    Network, and add the MySQL group.
  12. Double-click Log On As A Batch Job, and add
    the MySQL group.

Using a different user to run these processes
is essential so you can confine your database processes. If an
account or service compromise occurs because of an unpatched
exploit, this can minimize exposure to the rest of your system.


Running MySQL
What’s your backup Strategy?

It is one
thing to get your database up and running. Now that you have your MySQL
server in production, what is your backup strategy and what are
you using to back up your database?

Here are a
few articles that may prove helpful.

MySQL – Daily database dumps, all nicely sorted

MySQL Database Backup

Hot Backup Plugin

An update from Ramon Padillia


Confine your users

Allowing a remote user to run a process on your
server is inherently dangerous, but it happens every time you open
a Web page or run a network application. The key to securing this
remote access is limiting the local resource structure to a
specific user process.

You can confine remote access to MySQL by
running your database in a chroot environment. (Chroot changes the
root directory and restricts a process to an isolated subset of the
file system.)

UNIX and
Linux systems
Create the directory structure by executing the following:

mkdir -p /chroot/mysql/dev
mkdir -p /chroot/mysql/etc
mkdir -p /chroot/mysql/tmp
mkdir -p /chroot/mysql/var/tmp
mkdir -p /chroot/mysql/usr/local/mysql/libexec
mkdir -p /chroot/mysql/usr/local/mysql/share/mysql/English

Set access rights to the directory structure,
and copy the source files created during your install, as shown
below:

chown -R root:sys /chroot/mysql
chmod -R 755 /chroot/mysql
chmod 1777 /chroot/mysql/tmp

cp /usr/local/mysql/libexec/mysqld/chroot/mysql/usr/local/mysql/libexec/
cp /usr/local/mysql/share/mysql/english/errmsg.sys /chroot/mysql/usr/local/mysql/share/mysql/english/
cp /etc/hosts /chroot/mysql/etc/
cp /etc/host.conf /chroot/mysql/etc/
cp /etc/resolv.conf /chroot/mysql/etc/
cp /etc/group /chroot/mysql/etc/
cp /etc/master.passwd /chroot/mysql/etc/passwords
cp /etc/my.cnf /chroot/mysql/etc/

Windows
Server 2000 or Windows Server 2003
Follow the installation instructions, and install the database
on a separate drive from your system drive (typically C:). Remove
the Everyone group, add the MySQL group, and give full control to
the directory structure.

If your database is colocated on your Web
server, you need to disable access to TCP port 3306. This
eliminates direct attacks from remote connections.

Final thoughts

A database is like any other application served
over your network. Restrict the file processes and user accounts
that run your application, and control the ports that are open. No
software installation is secure–until you add that layer of
protection.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.