Database are a vital part of an application – so, understanding its peculiarities and mapping possible risks is fundamental in order to maintain the security of stored information. MySQL is currently one of the databases most commonly used in the development market and, thanks to its popularity, is a constant target of attacks and intrusions. We separated, then, some good security practices within that database. They are settings that are often neglected or have no importance recognized and guaranteed.
The first item of evaluation to be considered refers to the database installation and the operating system used on the server. It is recommended that MySQL is always installed on UNIX systems, due to the factors safety and performance. That way you can have greater control and performance with the database. There is another important item related to the installation. By using the mysql client, it saves the commands executed by the user in a file “.mysql_history” similar to “.history” from Linux. Depending on your MySQL version, even the user creation commands are written to this file, so getting the home user access credentials can then find credentials to access the database and other commands executed by that user . To resolve this problem it is necessary to point out then that file to “/ dev / null”.
Another important item to be analyzed refers to user credentials. By default, MySQL creates the user “root” with a standard password for the first access. This user needs to be removed after the first login. Therefore, new users must be created using password creation policies better defined and customized. Besides this, other rules should be adopted to control users in MySQL:
- • Creating an account for each application in the database, preventing an application to have the same access permissions than another one;
- • Limit the maximum accesses: talk to the developers and see what are the necessary privileges, and remember to assign these privileges to the correct database;
- • Never use “grant all privileges on *. * to” – only use this clause to create new administrators. Application users should not have additional access because, if the application is invaded, the attacker will have the least possible number of accesses;
- • Avoid assigning DROP privileges, because if application is exploited, the attacker will have more difficulty to clear tables or cause other damages;
- • Never keep users without password in the database;
- • Avoid creating users with access permission starting from any HOST. Use in the clauses always the relationship “user@host”.
The practices presented are the most basic ones in MySQL, they help ensure the safety of access to the database. But other preventive measures can and should be adopted, for example:
• Applying the user password expiration feature, thus forcing the exchange to each period;
• Keeping the database on a network other than the system;
• Use SSL in MySQL;
• Change the default port for database access;
• Always leave the logs option enabled and functional, in order to identify errors or malicious actions.
Ensuring the security of a database is critical. Understanding and applying improvements with that focus is not superfluous, but prerequisite for project delivery with quality.