The Database Hacker's Handbook: Defending Database Servers

MySQL Security Checklist

Here's a quick reference checklist for the points that we discuss in this chapter.

Read the MySQL security guidelines at http://dev.mysql.com/doc/mysql/en/Security.html.
Visit http://www.mysql.com/products/mysql/ often, and check for updates.
Know your bugs! Check vulnerability databases such as SecurityFocus and ICAT regularly for MySQL bugs, and (if you can stand the noise levels) subscribe to security mailing lists such as VulnWatch, BugTraq, and the MySQL mailing lists.

Deploy IPTables (Linux), an IPSec filtering ruleset (Windows), or some other host-based firewall software on your MySQL servers.
Use a low-privileged mysql account to run the MySQL daemon. This is the default on some platforms, but not others.
Run mysqld with the --chroot option.
Ensure that the MySQL user cannot access files outside of a limited set of directories. Specifically, the MySQL user should be prohibited from reading operating system configuration files. In some cases you might want to prevent the MySQL user from being able to modify the MySQL configuration files.
Ensure that MySQL data files (normally residing beneath the MySQL data directory) cannot be read by users other than the root or Administrator account, and the account that MySQL is running under.
Plaintext credentials. Ensure that no user other than the MySQL user can read any MySQL configuration and log files. The files my.cnf, my.ini, and master.info commonly have plaintext usernames ...

Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.