Top Security Checklist for mySql

Posted by

Database security in general is not given as much consideration by inexperienced penetration testers. It is impossible for an application to be secure without a database configuration and security checks. How can you strengthen the database management system, MySQL, which you may already be using? These are the seven steps that you must take.

1. Use SSH Tunneling Instead of Remote Connection

By default, the MySQL service uses port 3306 to operate. You will notice that port 3306 is open to all connections when you install MySQL. The MySQL port is currently accessible to the public. It is therefore advisable that you configure the MySQL service to just listen on the local address.

Since servers are usually run on a Linux distribution, the examples below are based on a Debian distribution. The file you need to use for SSH tunneling instead of remote connection and to close the default port to the outside world is /etc/mysql/my.cnf. In this file, you need to open a field called [mysqld] and write the following command:

Following this procedure, remember to save this file and use the following command to restart the service:

This will limit the MySQL service’s listening to the local address.

If you’re using MariaDB, you can also see if bind-address is defined in /etc/mysql/mariadb.conf.d/50-server.cnf.

Now that you have the bind-address set to, which is localhost, you can run a Nmap scan and check the output:

The localhost that you see is represented by, which is the MySQL port. To make sure this functions, you can try changing the bind address once more:

Then save the /etc/mysql/my.cnf file and restart MySQL service. If you carry out a Nmap scan again at this stage, you should not see this bind address on localhost.

Once you are certain that this is working, return to the initial step’s settings, change the bind address to, and then save once more.

2. Set Up a Local File Access Barrier

MySQL can communicate with the local file system. With queries, you can see the content of a text in the local file system or burn the query result to a disk. To prevent malicious attackers using this feature, you must prevent MySQL from communicating with the local file system. You can use a function called local-infile to take precautions. For example, imagine that you have a file named “/etc/secretfile.txt” and you have a password in this file. If the value of the local-infile function in your /etc/mysql/my.cnf file is 1, then the access is open. So you can access the secretfile.txt file.

The local-infile function has a value of 1. For the modifications to take effect, restart the MySQL database. Next, use the following command to establish a connection to MySQL and examine if the secretfile.txt file is visible:

It’s not difficult to capture the information in any file on your computer. To solve this problem, change the local-infile value in your /etc/mysql/my.cnf file as follows:

Turn the MySQL service back on. You should no longer be able to view the contents of the file when you reconnect to MySQL and repeat the previous step.

Users will not be able to view this file if they do not currently have read and write permissions on local files. You should still verify it via penetration tests and database security, though.

3. Set Application Users and Passwords

There needs to be a distinction made between the MySQL user accessing the database and the database administration user. Stated differently, it is very risky to connect apps to MySQL using root users. If at all feasible, list each user for an application that doesn’t carry out an INSERT or UPDATE operation separately.

Passwords for users are another item to think about right now. For MySQL users, passwords must be random and complex, just like in practically every other field. There are excellent password generation solutions available if you need assistance with this.

4. Delete Anonymous Users

By default, MySQL installs with some anonymous users. These must be removed, and access must be restricted. If your MySQL server is secure, the following query should return a null result.

These anonymous users should be removed if any results are found. To delete an anonymous account called “anonuser” in an environment called “localhost,” for instance, you would need to run a command similar to this one:

5. Check MySQL Local File Permissions

Assume you are in charge of a database and you wish to access data from a week ago. In this scenario, you may need to use SSH to access the database server and make the necessary changes to the MySQL files. It’s possible that you employed Linux’s root user capabilities during this process, which allows you to modify the data files’ ownership and permissions. It’s not what you want.

To verify the permissions granted, look in the /var/lib/mysql directory. Here, you must determine if the MySQL user is the file owner in every case. This command will work as intended:

The files’ read and write rights ought to be restricted to the MySQL user alone. There should be no permissions for any other users.

6. Use MySQL SSL

The best method to comprehend MySQL and SSL usage is to consider a specific case. Suppose that hostile hackers manage to gain control of one of the numerous servers in the ABC region. The ABC region will be the target of an inside scan by hackers. They gather data about the servers in this way.

They can launch a Man-in-the-Middle (MitM) attack on the target server if they happen to find a MySQL server during this procedure. This allows them to take control of the session data that users and apps connect to the server. SSL on the MySQL server is one of the best techniques to prevent this.

7. Log and History Files

MySQL logs are used for analysis and error detection. By entering my.cnf in the following manner, you can change the location of these logs:

The location or name of the mylogfiles can be altered as you choose. You still have one file to review. These queries that you write in when you connect to the MySQL server through a Linux terminal are stored in the mysql_history file. You may view the queries you are using in the MySQL terminal by running the following command:

If you wish to withhold information regarding the type of queries you are submitting to the server, you must remove the contents of this file. To remove the file’s contents, use the following command:

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x