I’m sure you’ve seen the alert on (dev.)mysql.com or elsewhere, there’s a bot/worm on the loose that targets unsecured MySQL servers on Windows platforms.
See also http://forums.mysql.com/read.php?3,13227,13227 for more details.
Regardless of whether you can be affected by this particular worm, it is a good opportunity to check out your own setup… is it properly secured? Here are a few hints:
- Firewall… are you allowing external access to port 3306? Do you need outside access into your MySQL Server? If not, block this port.
- If you do not need networked MySQL access from other machines (LAN or Internet), add the option “skip-networking” to your MySQL configuration (generally /etc/my.cnf, the [mysqld] section).
- On Unix systems (including Linux and Mac OS X), run the mysql_secure_installation script. Use “locate” to find it on your system. It will guide you through a few simple steps that will make the default user setup secure (remove remote root, set up local root pwd, remote the anonymous user that can only access the test db).
- From the manual angle, don’t allow remote root access:
DELETE FROM mysql.user WHERE user=’root’ AND host=’%’;
FLUSH PRIVILEGES;
See Connecting the MySQL GUI Tools to a Remote Server through a Firewall by Mike Hillyer, if you need to have remote access. Safely. - You could rename your MySQL root user to something else. Yes this is obscurity but it doesn’t hurt. A malicious user has no way of figuring out what the name might be.
- When choosing a password, make it long enough, use numeric and special symbols as well as alpha characters, and pick something non-obvious. Attacks using a word dictionary are so easy!
MySQL from its end will of course also seek to make future versions even more secure by default. Upto a point, it’s a tradeoff with easy-of-first-use. If you have any feedback or suggestions on this topic, please don’t hesitate to write to me! Either comment here, or email to my first name at mysql dot com.
Thanks!