WebCitz Blog

Best Tips for MySQL and MariaDB Security

Best Tips for MySQL & MariaDB Security

Security is a big concern for many people. This post will give you ten tips on how to achieve MySQL and MariaDB security in order to make your databases safe from hackers. These tips include backing up data, using strong passwords, and limiting access privileges, among other suggestions.

Here are the best tips for achieving MySQL and MariaDB security in a web hosting service:


Suggestions for Securing MySQL / MariaDB

1.) Remove users without a password

If you have users in your database without passwords, it is best to remove them. This will help reduce the chances of someone being able to hack into your database.

Regardless of whether or not the users only have access from the localhost, they should be deleted to stop any malicious commands from being run. Also, weak passwords are a security risk in themselves.

You should always use strong passwords when creating users in your databases. Weak passwords are easier to crack by hackers, which could lead to them getting access to your database and wreaking havoc on it if they manage this. Using a secure password generator will help create stronger passwords for you that are more difficult to crack.

You should also consider using two-factor authentication for your users. This will require an extra code, usually sent to their phone, in order to log into the database. This makes it much more difficult for someone to gain access if they only have your username and password.

2.) Limit remote access

If you don’t need to give remote access to your database, then it is best to limit it. This will help reduce the chances of someone being able to hack into your database from a remote location.

Luckily, the latest versions of MySQL and MariaDB automatically limit remote access to the database unless specified otherwise. However, you should still check your security settings to ensure that is the case.

It’s also a good idea to ensure all users connect to MySQL by only the exact hosts you desire.

3.) Remove the test database

When you install MySQL or MariaDB, a test database is automatically created. This database contains data that can be used to hack into your real databases if it falls into the wrong hands. It’s best to remove this database so that it can’t be used for nefarious purposes.

This test database also creates unnecessary storage on the database server. It is only used by database testers to test out queries, so it can be removed without affecting the functionality of your databases.

4.) Obfuscate access to MySQL

If you don’t want people to know that your database exists, then you can obfuscate its access. This will make it harder for someone to find your database and hack into it.

Obfuscating the access also makes it more difficult for anyone who is monitoring your traffic to determine which ports are being used by MySQL or MariaDB.

It is well-known that MySQL runs on port 3306, while ‘root’ is the name of the superuser. You can modify the port number by editing the my.cnf configuration file and changing the ‘port’ variable.

5.) Secure your configuration files

As with any application, it is important to secure your configuration files for MySQL or MariaDB. These files contain sensitive information, such as passwords and user data. Securing these files will help prevent anyone from gaining access to this information if they gain access to your servers.

6.) Apply network security

It is also important to secure your network, as well as the servers themselves. This will help reduce the chances of someone hacking into your database from a remote location and running nefarious commands on it.

The first thing you should ensure is that MySQL is only accessed through a local connection, not the network. You can do this via a Unix socket. Input ‘skip-networking’ into my.cnf to stop all TCP/IP communication.

You can also use your firewall to block access to MySQL from certain IP addresses or ranges. This will help reduce the chances of someone hacking into your database from a remote location. If you don’t have a hardware firewall, you can use something like ConfigServer CSF.

7.) Use audit plugins

You can also use audit plugins to keep track of what is happening in your database. These will help you determine if someone has modified or accessed your database, or if something suspicious is going on with it that could suggest this.

There are plenty of free and paid options for these auditing tools available online today. MySQL Enterprise Audit is a good option if MySQL Enterprise is already being used in your organization. MariaDB also has their own audit plugin.

These plugins all do a great job at monitoring your database for suspicious activity. They can even send you alerts if anything unusual is detected so that you don’t have to check the logs manually every time.

8.) Disable LOAD DATA LOCAL INFILE

Another way to prevent someone from gaining access to your database is by disabling the LOCAL capability in MySQL or MariaDB. This command allows you to load data files from a local file, but it also poses a security risk – especially if they are not encrypted. To disable this function, set local-infile=0 in the my.cnf configuration file.

9.) Set file privileges

It is also important to set the correct file privileges for your MySQL or MariaDB files. This will ensure that only authorized users can access them. You can do this by setting the appropriate permissions and ownerships on these files.

For example, you could set the owner of all your MySQL files to be ‘mysql’ and the group to be ‘mysql’, with all other users being denied access. This will ensure that only users with the correct access levels will be able to access your MySQL files.

10.) Add SSL, and encrypt data in transit

If you are running MySQL or MariaDB with SSL enabled, then it is important to have the necessary certificates installed on your server. If this isn’t done, anyone can intercept information being sent between your database and its clients.

You should encrypt data in transit for added protection of any sensitive data being transmitted through public networks.

You can also encrypt the data that is being transmitted between your database server and other devices. This will ensure that anyone monitoring traffic on your network cannot access any of the data that they are transmitting or receiving, even if they have managed to hack into one of these systems.

SSL would be a great way to achieve this for MySQL users, as it is already built into the protocol. MariaDB users can use stunnel to achieve a similar effect.

11.) Encrypt data at rest

Lastly, you should also consider encrypting your data at rest. This means that the data is encrypted even when it is not being transmitted.

This can be done by using a tool such as MySQL Enterprise Encryption or MariaDB Column Encryption.

Both of these tools offer a great way to protect your data from being accessed if someone manages to hack into your database server. They are also very easy to use, so you don’t have to be an expert in encryption to take advantage of these tools.


Final Thoughts on Securing MySQL / MariaDB

All of the options mentioned here will help you to achieve MySQL and MariaDB security, but they are not all perfect for every situation. You should consider your specific needs when looking at them so that you can choose the best one possible. However, these tips should give you a good idea about how to go about choosing an option that will work well for you.

Hopefully, this article has given you some good ideas about how to achieve MySQL and MariaDB security in your organization to minimize your exposure to security vulnerabilities.

Disclaimer: WebCitz, LLC does not warrant or make any representations concerning the accuracy, likely results, or reliability of the information found on this page or on any web sites linked to from this page. This blog article was written by Timothy A in his or her personal capacity. The opinion(s) expressed in this article are the author's own and may not reflect the opinion(s) of WebCitz, LLC.