This blog page has no intent to cover "all" security concerns but it is a very common step in securing the MySQL server.
The article (1) provides general steps in the following topics to secure MySQL database
- Database Hardening using mysql_secure_installation
- Secure Channel with ssl certificate(s) between mysqld and mysql
There are more and more .... (Audit Plugin, MySQL 5.6 Enterprise Encryption, Password Encryptionm Password Policy, etc...) which they are not covered in this blog!
Database Hardening using "mysql_secure_installation"
By default, when a MySQL database is installed (for example using "mysql_install_db" without --random-passwords), the "root" account has no passwrod. There are couples of steps which we can improve the security of the installed database.
1.Remove root access from external access
2. Limit the effect of the LOAD_FILE() function and the LOAD DATA and SELECT ... INTO OUTFILE statements to work only in the folder of @@secure_file_priv
3. Install and enable SSL channel for
4. Remove the 'test' database which by default is installed
The following script provides a brief validation on a mysql database.
Running the 'mysql_secure_installation' -
You can set a password for
You can remove
rootaccounts that are accessible from outside the local host.
- You can remove anonymous-user accounts.
You can remove the
testdatabase (which by default can be accessed by all users, even anonymous users), and privileges that permit anyone to access databases with names that start with
Install SSL certificates to enable SSL channel with mysqld
The following scripts provides a general steps to create the SSL certificates for CA, SERVER and CLIENT.