- Disable all anonymous login
mysql>select user,host,password from mysql.user;
it should have hashed password
– Remove all anonymous password or create password for all account or r
mysql>revoke all on *.* from user@localhost;
- Restrict remote login
– Disable all remote @% user account
– Bind only to localhost edit my.cnf -> bind-address = 127.0.0.1
– edit my.cnf -> skip-networking - Dont run mysqld as root, run as another user uid/guid for example: mysql
- Disable loading local files
edit my.cnf add local-infile=0 - Use ssh tunnel for database query or adminitration
- Enable logging in my.cnf :
[mysqld]
log=/var/log/mysql-logfile
– chmod make sure its unreadable -rw-r—– - Create spesific user for each app
mysql> create user 'opencart'@'localhost' identified by 'password';
mysql> grant select,update,delete on opencartdb.* to 'opencart'@'localhost';
– or grant it all:
mysql> grant all on opencartdb.* to 'opencart'@'localhost';
- change root login with uncommon name
mysql> rename user 'root'@'localhost' to 't00r'@'localhost';
mysql> flush privileges - change default port 3306 in my.cnf -> port=6303
- create unbreakable password combination with alphanumeric and symbol
this would take some time for bruteforce :
mysql> set password for t00r@localhost=password('x^8#ub&wgxQrw0f4k93jrChy7i%%cr*83v_:p');
- detect mysql ddos, see session connection block it in firewall if necessary
mysql> show status;
mysql>show processlist; - Limit number of maximum connection for each user