MySQL Security: Difference between revisions
(New page: <span id="top"></span> {| cellpadding="2" |__TOC__||'''MySQL Security''' |} '''Introduction''' After extracting Uniform Server your first task should be to change the MySQL password. How...) |
(No difference)
|
Revision as of 23:15, 16 December 2009
MySQL Security |
Introduction
After extracting Uniform Server your first task should be to change the MySQL password.
However doing so will render all pre-configured plugin applications inoperable.
To resolve this issue you can edit each applications configuration file and change the password accordingly. This method is very high risk especially if you intend to run a production server.
The following is a step-by-step guide how to secure MySQL server on Uniform Server.
Security issues
You probably are wondering what all the fuss is about the following attempts to explain the levels of security and why the root user is so dangerous.
Root User
A default installation of Uniform Server has a single user named root with password root. This user has full global privileges, significance of this privilege is server wide hence root user has full power to create and delete any database or table.
Changing the MySQL password (root user password) from Apanel protects this user. However the root user should only be used for server administration and be the only user to connect to the server with these privileges.
Application connection
When installing an application you are required to enter a database name along with a user name and password. Using the root user for installation is convenient generally installation will proceed with no problems.
Although convenient unless steps are taken using root is an extremely serious security issue. Every time an application connects to the MySQL server it does so with all granted privileges. Should the application be compromised in anyway your entire MySQL sever is at risk.
Application security
Application programmers do their utmost to protect the application from malicious users. If the application becomes compromised generally only the application is killed however since the application connected with full privileges you can kiss your MySQL server good-bye.
To put the above into context for a test server the only person that can compromise your server is you hence not an issue. Putting your servers online any user can potentially compromise your servers hence you must take security seriously.
General Steps
- Change the MySQL root password
- Install an application using root user
- Create a new user with limited privileges for that applications database only
- Change the applications configuration file to connect using the above user.
Detail
Change MySQL password
Change MySQL password
|
Install an application
- Install application as per instructions.
Note: From the above MySQL server host is localhost user name root password fred123
Use the password you configured. - For the remainder of this example I will assume you are using the MediaWiki plugin V55_MediaWiki_1_15_1.exe
Note: This is pre-configured and uses user name root and password root
Create a new user
Change MySQL password
|
Edit application configuration file
Continuing with our MediaWiki example final step is to edit the configuration file.
Open file UniServer\www\wiki\LocalSettings.php in a text editor.
|
|
General note
After making any significant changes always restart servers and flush your browser cache and delete all cookies.
For Firefox:
- Tools > Options > Click Privacy > Click Show cookies button > Click Remove all cookies
- Tools > Options > Click Advanced > Click Clear Now
Conclusion
Installing applications using root makes the whole process relatively easy since you have full privileges. After installation check the application runs then secure the MySQL server with a user with restricted privileges as explained above.
For a production server it is essential to secure your MySQL server. For a test server the choice is yours however if you put a test server online again you must secure it.