Best Practices to Secure Your MySQL Databases

by Oct 28, 2019

MySQL is one of the most popular database platforms in the world. It is widely used to power eCommerce sites and web applications that are essential components of many companies’ business strategies. MySQL databases are often the repository for sensitive customer data gathered while conducting business as well as information regarding internal processes and personnel.

An organization’s databases are responsible for storing and manipulating the information required to keep it operating and competing effectively in their market. They are critically important to a company’s success and need to be guarded and kept secure. The database team comprises an enterprise’s first line of defense and is responsible for implementing security policies and standards that minimize the chances for the systems to be accessed by unauthorized users or exposed to malicious malware.

One of the challenges facing DBAs is the proliferation of multiple-platform environments that they are expected to successfully manage. While some security measures are transferable between competing databases, there are variations that can make securing their systems challenging when bouncing from platform to platform. Let’s take a look at some of the steps a MySQL DBA should be taking to ensure the security of their databases.

Hardening the Database

Hardening a computer system is a means of protecting it from risks and threats with a multi-layered approach. Each layer, such as the host, application, user, and physical requires different methods to ensure security. Here are some specific steps to take that will harden your MySQL server. When modifying the my.cnf file, you will need to restart MySQL for the changes to be implemented.

Encrypting connections – MySQL network connections are not encrypted by default. This needlessly exposes your data and should be addressed by enforcing network connection encryption.

Setting a connection error limit – Multiple unsuccessful authentications may indicate an attack by unauthorized users. Allowing for a reasonable number of incorrect attempts can be done with the max_connect_errors parameter in the my.cnf file.

Disable the SHOW DATABASES command – This command can be used by attackers to identify the available databases in preparation for an attack. You can disable the command by inserting the skip-show-database line to the mysqld section of the configuration file.

Run the MySQL hardening script – Running the hardening script included with MySQL will lead you through a series of questions that help you set the level of hardening for your system. Execute the script with the mysql_secure_installation command.

Additional Security Measures

While the steps outlined above to harden your MySQL systems are an important start, there are many other ways to strengthen the security of your databases. Here are some of them.

Change the default port and account – By default, MySQL runs on port 3306 using the superuser “root” account. The default port should be changed in the configuration file to make your database less susceptible to random cyberattacks. The recommended method of dealing with the root account is to create a new superuser account and to eliminate all root@ accounts.

Tightly control database access – Fewer is better when it comes to users permitted to access a database. Permissions should be managed using groups or roles and the minimum privileges required to do a job should be granted to any individual.

Auditing and monitoring database activity – This is an essential task that can alert you to a number of security violations or flaws. Monitoring can help identify compromised accounts or those conducting suspicious activities. Periodically auditing your systems will show if accounts have been created outside of the normal workflow, perhaps by a hacker.

Maintaining Secure MySQL Instances

SQL Diagnostic Manager for MySQL offers a platform from which you can monitor and audit your database instances to ensure they remain secure. It provides over 600 pre-built monitors with the ability to give you real-time insight into your system’s performance. Monitored data can be displayed in customizable dashboards making it easy to identify and address problems promptly.

Managing user access and finding problematic trends can be accomplished by focusing the information available through the tool’s audit log. It lets you quickly see failed logins and events as well as changes made to the database. The data gained from studying these logs can help you discover potential security flaws and better protect your systems and the critical data they contain. It’s a powerful tool that should be part of all MySQL DBAs software repertoire.