1. Strong passwords, there is no excuse, use online tools for generation of 15 alphanumeric or more.
2. Rename root account (update user set user=”NewName” where user=”root”)
3. Apply the latest MySQL DB Server patches (see 12)
4. Restrict access to Program Data and log (slow, error) folders
5. Make sure users connect only from specific ids/IPS or application servers.
6. DB users, grant privileges from most restrictive upwards, not full access then down.
7. Use Skip-Networking in Configuration file if the server is to be only used locally.
8. Configure disaster recovery with Bin Log replication to remote site if server is critical, or replicate backups at the very least and load them to a standby server.
9. Use SSL connections only if sensitive data (Set Secure_Auth ON)
10. Change the TCP port to a non-standard one (thus not 3306)
11. Restrict the access and ownership of the DataDir in the Configuration to place data in a non-default place.
12. Use Versions that were after the Oracle purchase AND post known vulnerabilties, thus 5.6.26 and up, since (update) August 2015, new vulnerabilities were published for 5.6.24 and below (ouch).
13. Ensure root has not been granted to remote access (SHOW GRANTS)
14. Ensure there are no empty passwords
15. Groom your user lists frequently and disable/drop unused accounts
PS while on the subject, here's some awesome MySQL training http://youtu.be/TCt6IZCZTxc
No comments:
Post a Comment