MySQL Security

From The Uniform Server Wiki
Revision as of 23:15, 16 December 2009 by Ric (talk | contribs) (New page: <span id="top"></span> {| cellpadding="2" |__TOC__||'''MySQL Security''' |} '''Introduction''' After extracting Uniform Server your first task should be to change the MySQL password. How...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

MySQL Security

Introduction

After extracting Uniform Server your first task should be to change the MySQL password.

However doing so will render all pre-configured plugin applications inoperable.

To resolve this issue you can edit each applications configuration file and change the password accordingly. This method is very high risk especially if you intend to run a production server.

The following is a step-by-step guide how to secure MySQL server on Uniform Server.

Security issues

You probably are wondering what all the fuss is about the following attempts to explain the levels of security and why the root user is so dangerous.

Top

Root User

A default installation of Uniform Server has a single user named root with password root. This user has full global privileges, significance of this privilege is server wide hence root user has full power to create and delete any database or table.

Changing the MySQL password (root user password) from Apanel protects this user. However the root user should only be used for server administration and be the only user to connect to the server with these privileges.

Top

Application connection

When installing an application you are required to enter a database name along with a user name and password. Using the root user for installation is convenient generally installation will proceed with no problems.

Although convenient unless steps are taken using root is an extremely serious security issue. Every time an application connects to the MySQL server it does so with all granted privileges. Should the application be compromised in anyway your entire MySQL sever is at risk.

Top

Application security

Application programmers do their utmost to protect the application from malicious users. If the application becomes compromised generally only the application is killed however since the application connected with full privileges you can kiss your MySQL server good-bye.

To put the above into context for a test server the only person that can compromise your server is you hence not an issue. Putting your servers online any user can potentially compromise your servers hence you must take security seriously.

Top

General Steps

  1. Change the MySQL root password
  2. Install an application using root user
  3. Create a new user with limited privileges for that applications database only
  4. Change the applications configuration file to connect using the above user.

Top

Detail

Change MySQL password

Change MySQL password

  1. Start UniTray: Navigate to folder UniServer double click on Start.exe
  2. Start Uniform Server: Left click UniTray > Click Start UniServer A) B)
  3. Run Apanel: Left click UniTray > Click Admin Panel C)
  4. Apanel left menu click MySQL Server Configuration D)
  5. Enter new MySQL Password (for example fred123) choose a secure one E)
  6. Click Change (If challenged by your firewall allow access) F)

Top

Install an application

  1. Install application as per instructions.
    Note: From the above MySQL server host is localhost user name root password fred123
    Use the password you configured.

  2. For the remainder of this example I will assume you are using the MediaWiki plugin V55_MediaWiki_1_15_1.exe
    Note: This is pre-configured and uses user name root and password root

Top

Create a new user

Change MySQL password

  1. Start Uniform Server: Left click UniTray > Click Start UniServer A) B)
  2. Run phpMyAdmin: Left click UniTray > Click phpMyAdmin G)
  3. phpMyAdmin page is displayed. From the top menu click on privileges H)
    This opens a new page displaying all users
  4. Click on Add a new User I) This opens the Add a new user page


  5. Enter required user name (example WikiUser) J)
  6. Select Host from drop down menu. Select localhost restricts access K)
  7. Enter password (from drop down menu select Use Text Field) L)
  8. Confirm password M)
    Note for this example I entered user123

    Note: The Add new User pages allows you to set global privileges for the user. This user is being created with absolute minimum privileges hence no global privileges are set. Ensure all preveleges are unchecked.

  9. Scroll down page and click Go N)






  10. Our new user is created and confirmation provided at top of the page. A new section is automatically added to current page named Database Specific Privileges scroll to this section.

    Note: You can assign more than one database to a user however this is a user with limited access hence a single database is assigned.

  11. From the drop down menu select wikidb O)
    This automatically openens a new page where you can assign priveleges to the user that are specific to the Wiki database wikidb



  12. When assigning privileges assign the absolute minimum possible to allow an application to run. If the application fails you can always go back and edit user privileges and enable more as required.

    For MediaWiki the minimum is shown see section Data P)
  13. Scroll down page and click Go Q)


Note: A user in this context is the name of a user that is allowed to connect to the MySQL server. This name has no relationship to any applications users.


Generally for maximum security you would create a new user and password per application.

Top

Edit application configuration file

Continuing with our MediaWiki example final step is to edit the configuration file.

Open file UniServer\www\wiki\LocalSettings.php in a text editor.

Locate this section:
## Database settings
$wgDBtype           = "mysql";
$wgDBserver         = "localhost";
$wgDBname           = "wikidb";
$wgDBuser           = "root";
$wgDBpassword       = "root";
Change $wgDBuser and $wgDBpassword as shown below:
## Database settings
$wgDBtype           = "mysql";
$wgDBserver         = "localhost";
$wgDBname           = "wikidb";
$wgDBuser           = "WikiUser";
$wgDBpassword       = "user123";

Top

General note

After making any significant changes always restart servers and flush your browser cache and delete all cookies.

For Firefox:

  • Tools > Options > Click Privacy > Click Show cookies button > Click Remove all cookies
  • Tools > Options > Click Advanced > Click Clear Now

Top

Conclusion

Installing applications using root makes the whole process relatively easy since you have full privileges. After installation check the application runs then secure the MySQL server with a user with restricted privileges as explained above.


For a production server it is essential to secure your MySQL server. For a test server the choice is yours however if you put a test server online again you must secure it.

Top