making mysql secure
Posted by 4est (4est), 29 August 2003does anyone know of a good guide on making mysql secure? i have my site hosted on a ISP (i don't admin the server) so is this in the jurisdiction of the server admin or are there things that i need to do with regards to the configuration of my db?
thanks for the advice, 4est.
Posted by admin (Graham Ellis), 30 August 2003Most ISPs will administer MySQL so that you have full access to a database who's name is the same as your main login name (or just possibly to databases who's names start with your loging name). Your login name to MySQL will be the same name again, and it will be password protected; this may be a different password to your main login password, or you may be able to make it so ....
Provided that the MySQL is properly administered to prevent access by Joe Public or Another Accountholder to your database (that is down to the ISP setting it up right) , there should be just a few simple guidlines for you to follow.
a) Have a good MySQL password that can't easily be guessed or discovered through repeated automatic attacks.
b) Don't reveal your MySQL password to anyone, and change it if you can from time to time.
c) You'll probably need to place your MySQL password into web scripts (in your PHP or whatever language you're using). This will make you nervous, I'm sure, but provided that the pages are placed in a cgi-bin directory or have an extension so that they're parsed by the server and never get out, it's OK.
MySQL accepts logins identified by user name, password, and the host from which they're logging in. It's common for ISPs to only allow local connection (i.e. from web pages and from copies of other clients run by the user logged in by ssh or telnet) which is somewhat of a security help for the un-aware against Joe Public breaking in; even if Joe Public were to get the password, which I hope differs from your main login password, there's little use he can make of it. If your ISP allows MySQL connections irrespective of originating host, it's fine provided that you protect your password, and that if you do access in from halfway across the world you trust the plain text transmission involved in such an access; if your password IS given away with such a setup, you are NOT protected against Joe Public.
Hope that gives you a flavour. My answer has to be hedged by if-s and but-s because the main setup is done by the ISP, and then you provide the last stage. Security relates to the combination of both.
PH: 01225 708225 • FAX: 01225 793803 • EMAIL: firstname.lastname@example.org • WEB: http://www.wellho.net • SKYPE: wellho