Link to home
Create AccountLog in
Avatar of xoxomos
xoxomos

asked on

mySQL Hardening

I'd like some good links documenting how best to harden mySql.
We've learned we were hacked via a Cold Fusion exploit and would like to prevent future occurences.
ASKER CERTIFIED SOLUTION
Avatar of Brian Crowe
Brian Crowe
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of xoxomos
xoxomos

ASKER

Thanks.  That was from yesterday :-)
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of xoxomos

ASKER

Yes, we believe it was  a Cold Fusion exploit, but the programmer asked for some input on mySQL hardening in general.
Well, those are two totally different things. For CF specific exploits, be sure to check http://hackmycf.com.
Though as mentioned, CF's interaction with mySQL is mostly just handing off SQL strings for execution. So securing access primarily involves securing ALL queries with cfqueryparam ie bind variables. You can also mitigate some damage by restricting the operations allowed by the CF DSN in the CF Admin. The default is "all": SELECT, UPDATE, DELETE, CREATE, GRANT etc...  but you can customize it by disabling operations not needed in your application.


As for securing mySQL itself, that's not really related to CF specifically. Perhaps some of the mySQL experts were scared off by the mention of CF? Might want to modify the question to ask about securing mySQL in general. I'll leave the specific advice about MySQL to the MySQL gurus, but there are a lot of general tips on securing mySQL, such as this one.
Avatar of xoxomos

ASKER

Thanx again.  The items in the 'this one' :-) is what i've put on the list so far and i'll be adding your comment to that.  In our case, the boss for some reason did not apply a CF patch which would have prevented that exploit.
Other hardening  mentioned elsewhere such as stored procedures, and prepared statements were not supported by mySQL way way back when he first started using mySQL so i'm not sure how i'll present those to him :-)
As long as you add cfqueryparam to all query parameters - you're essentially getting the benefits of prepared statements: performance, bind variables.  PS's are what CF uses behind the scenes anyway.

> Other hardening  mentioned elsewhere such as stored procedures,

Stored procs have some advantages ie Easier to centralize permissions and db logic. It's easier to perform complex sql.  But stored procs don't offer any performance or security benefits over proper use of cfqueryparam AFAIK.

Though watch out for stored procs that use dynamic sql - notoriously insecure.