OS level Security:
- Never run the MySQL server as the linux ‘root’ user. Always create the separate user for MySQL and start/stop MySQL server with it.
- If the data directories are located under $mysql_home/data dir then make sure that directory and all subdirectories should have only read and write privileges for the mysql user.
- Always secure MySQL configuration files. i.e my.cnf. If possible than keep it in different location rather than /etc (which is default location).
- Always secure MySQL log files like binary log, query log, error.log etc. Because through that anyone can get the information about data, tables etc.
- Always secure .mysql_history file of mysql or any super linux user. Because that file can contain commands, passwords in palin text.
Accounts and Privileges:
- Secure mysql root account. There should not be root user account other than localhost. Remove anonymous account for root.
- Always check ‘aborted_connects’ status variable. This variable value will be high when someone will attack on your DB server.
- After installing and start mysql, run mysql_secure_installation script for setting mysql root password, remove anonymous accounts, remove remote access and delete test db.
- Never allow access to mysql.user table or mysql database to any non-admin users.
- Don’t grant SUPER, FILE, and PROCESS privilege to non-admin users.
- Always restrict user accounts to only those schemas which they need to.
- If data is sensitive than consider to use SSL for data communications.
Data and Auditing:
- If logic is not complex than use mysql stored procedure/functions/triggers to secure your data as it can prevent sql-injection attacks.
- Always delete “test” database from the prod servers.
- Set appropriate SQL_MODE option to secure your data and keep data integrity high.
- Always secure DB backup files.
- Use binary, general query, error log for auditing activity.