Posted on

MySQL and Security

I’m sure you’ve seen the alert on (dev.)mysql.com or elsewhere, there’s a bot/worm on the loose that targets unsecured MySQL servers on Windows platforms.
See also http://forums.mysql.com/read.php?3,13227,13227 for more details.

Regardless of whether you can be affected by this particular worm, it is a good opportunity to check out your own setup… is it properly secured? Here are a few hints:

  • Firewall… are you allowing external access to port 3306? Do you need outside access into your MySQL Server? If not, block this port.
  • If you do not need networked MySQL access from other machines (LAN or Internet), add the option “skip-networking” to your MySQL configuration (generally /etc/my.cnf, the [mysqld] section).
  • On Unix systems (including Linux and Mac OS X), run the mysql_secure_installation script. Use “locate” to find it on your system. It will guide you through a few simple steps that will make the default user setup secure (remove remote root, set up local root pwd, remote the anonymous user that can only access the test db).
  • From the manual angle, don’t allow remote root access:
    DELETE FROM mysql.user WHERE user=’root’ AND host=’%’;
    FLUSH PRIVILEGES;
    See Connecting the MySQL GUI Tools to a Remote Server through a Firewall by Mike Hillyer, if you need to have remote access. Safely.

  • You could rename your MySQL root user to something else. Yes this is obscurity but it doesn’t hurt. A malicious user has no way of figuring out what the name might be.
  • When choosing a password, make it long enough, use numeric and special symbols as well as alpha characters, and pick something non-obvious. Attacks using a word dictionary are so easy!

MySQL from its end will of course also seek to make future versions even more secure by default. Upto a point, it’s a tradeoff with easy-of-first-use. If you have any feedback or suggestions on this topic, please don’t hesitate to write to me! Either comment here, or email to my first name at mysql dot com.
Thanks!

Posted on