How to protect important data in MySQL
- 2020-05-12 06:20:01
- OfStack
An enterprise's most valuable asset is usually customer or product information in its database. Therefore, an important part of database management in these enterprises is to protect this data from external attacks and to fix software/hardware failures.
In most cases, hardware and software failures are handled through a data backup mechanism. Most databases come with built-in tools to automate the process, so it's relatively easy and error-free. But the trouble comes from the other side: preventing foreign hackers from stealing or destroying information in databases. Unfortunately, there are no automated tools to solve this problem. Also, it requires administrators to manually block hackers and secure the company's data.
A common reason for not securing a database is that it is "complicated" because it is "cumbersome". This is true, but if you use MySQL, you can use some handy features to significantly reduce your risk. The following features are listed below:
◆ delete wildcards from the authorization table
The MySQL access control system runs through a series 1 of so-called authorization tables that define user access rights at the database, table, or column level. These forms, however, allow the administrator to set 1 sublicense for 1 user, or 1 set of tables with wildcards applied. This is potentially dangerous because a hacker could use a restricted account to access other parts of the system. For this reason, be careful when setting user privileges, always ensuring that users only have access to what they need. Be especially careful when setting super privileges for individual users, because this level allows regular users to modify the basic configuration of the server and access the entire database.
Recommendation: apply the show privileges command to each user account to review the authorization table to see if the application wildcard permissions are appropriate.
◆ security password is required
The security of user accounts is closely related to the passwords used to protect them. Therefore, the first thing to do when installing MySQL is to set the password for the MySQL root account (which is empty by default). After fixing this bug, the next step is to require each user account to use one password, and not to use easily recognizable heuristic passwords such as birthday, username, or dictionary words.
Recommendation: use the MySQL-security-authorization option to avoid the old, less secure MySQL password format.
◆ check profile permissions
In general, to make server connections faster and easier, individual users and server administrators must store their user accounts and passwords in the single-user MySQL options file. However, this password is stored in plain text in a file and is easily accessible. Therefore, you must ensure that such a single-user profile is not viewed by other users in the system and stored in a non-public location. Ideally, you want the single user profile to be saved in the user's root directory under the license 0600.
Data transmission between the client and the server:
An important issue with MySQL(and other) client and server architectures is the security of data transfer over the network. If the interaction between the client and the server takes place in plain text, the hacker may "sniff out" the packets being sent, thereby obtaining confidential information. You can close this vulnerability by activating SSL in the MySQL configuration, or by applying a security application such as OpenSSH to create a secure encryption "channel" for the data being transmitted. Encrypting the client's connection to the server in this way makes it extremely difficult for unauthorized users to access the data going back and forth.
Remote access is prohibited
If the user does not need remote access to the server, you can force all MySQL connections to be made via the UNIX slot file, greatly reducing the risk of network attacks. This can be done by starting the server by skipping the network option. This prevents the TCP/IP network from connecting to MySQL, ensuring that no user can remotely connect to the system.
Suggestion: this can be enhanced by adding the bind address 127.0.0.1 directive to the MySQL server configuration, forcing MySQL to bind the local machine's IP address to ensure that only users in the same system can connect to MySQL.
◆ actively monitor the access records of MySQL
MySQL comes with a number of different log files that record customer connections, queries, and server errors. Among them, the most important is the query log, which USES the time label to record the connection and interruption time of each customer, and records each query executed by the customer. If you suspect unusual behavior, such as a cyber intrusion, it's a good idea to monitor the log to find out where the behavior came from.
Protecting your MySQL database is a daily job. Therefore, even if you have completed the above steps, you still need to spend more time to learn more security advice and actively monitor and update your system security
In most cases, hardware and software failures are handled through a data backup mechanism. Most databases come with built-in tools to automate the process, so it's relatively easy and error-free. But the trouble comes from the other side: preventing foreign hackers from stealing or destroying information in databases. Unfortunately, there are no automated tools to solve this problem. Also, it requires administrators to manually block hackers and secure the company's data.
A common reason for not securing a database is that it is "complicated" because it is "cumbersome". This is true, but if you use MySQL, you can use some handy features to significantly reduce your risk. The following features are listed below:
◆ delete wildcards from the authorization table
The MySQL access control system runs through a series 1 of so-called authorization tables that define user access rights at the database, table, or column level. These forms, however, allow the administrator to set 1 sublicense for 1 user, or 1 set of tables with wildcards applied. This is potentially dangerous because a hacker could use a restricted account to access other parts of the system. For this reason, be careful when setting user privileges, always ensuring that users only have access to what they need. Be especially careful when setting super privileges for individual users, because this level allows regular users to modify the basic configuration of the server and access the entire database.
Recommendation: apply the show privileges command to each user account to review the authorization table to see if the application wildcard permissions are appropriate.
◆ security password is required
The security of user accounts is closely related to the passwords used to protect them. Therefore, the first thing to do when installing MySQL is to set the password for the MySQL root account (which is empty by default). After fixing this bug, the next step is to require each user account to use one password, and not to use easily recognizable heuristic passwords such as birthday, username, or dictionary words.
Recommendation: use the MySQL-security-authorization option to avoid the old, less secure MySQL password format.
◆ check profile permissions
In general, to make server connections faster and easier, individual users and server administrators must store their user accounts and passwords in the single-user MySQL options file. However, this password is stored in plain text in a file and is easily accessible. Therefore, you must ensure that such a single-user profile is not viewed by other users in the system and stored in a non-public location. Ideally, you want the single user profile to be saved in the user's root directory under the license 0600.
Data transmission between the client and the server:
An important issue with MySQL(and other) client and server architectures is the security of data transfer over the network. If the interaction between the client and the server takes place in plain text, the hacker may "sniff out" the packets being sent, thereby obtaining confidential information. You can close this vulnerability by activating SSL in the MySQL configuration, or by applying a security application such as OpenSSH to create a secure encryption "channel" for the data being transmitted. Encrypting the client's connection to the server in this way makes it extremely difficult for unauthorized users to access the data going back and forth.
Remote access is prohibited
If the user does not need remote access to the server, you can force all MySQL connections to be made via the UNIX slot file, greatly reducing the risk of network attacks. This can be done by starting the server by skipping the network option. This prevents the TCP/IP network from connecting to MySQL, ensuring that no user can remotely connect to the system.
Suggestion: this can be enhanced by adding the bind address 127.0.0.1 directive to the MySQL server configuration, forcing MySQL to bind the local machine's IP address to ensure that only users in the same system can connect to MySQL.
◆ actively monitor the access records of MySQL
MySQL comes with a number of different log files that record customer connections, queries, and server errors. Among them, the most important is the query log, which USES the time label to record the connection and interruption time of each customer, and records each query executed by the customer. If you suspect unusual behavior, such as a cyber intrusion, it's a good idea to monitor the log to find out where the behavior came from.
Protecting your MySQL database is a daily job. Therefore, even if you have completed the above steps, you still need to spend more time to learn more security advice and actively monitor and update your system security