mySQL Hardening

I'd like some good links documenting how best to harden mySql.
We've learned we were hacked via a Cold Fusion exploit and would like to prevent future occurences.
xoxomosAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian CroweDatabase AdministratorCommented:
Might want to post this in mySQL topic area instead of MS SQL Server
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
xoxomosAuthor Commented:
Thanks.  That was from yesterday :-)
0
_agx_Commented:
Why ask about MySQL hardening if it was a ColdFusion exploit? Typically, CF just passes sql strings to a database (mySQL, sql server, etc..). The usual exploit is sql injection, which applies to any web application that connects to a db, not CF specifically.

The solution is to ensure you're using <cfqueryparam> (ie bind variables) on ALL variable query parameters.  Bind variables help prevent input values like #FORM.someField# from being executed as sql commands. Thereby preventing common sql injection attacks.

With MySQL, you can also disable the execution of multiple statements in the DSN driver string. (Assuming it's not needed in your app). This will help mitigate some of the sql injections risks, but not all. So it should only be used in combination with cfqueryparam.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

xoxomosAuthor Commented:
Yes, we believe it was  a Cold Fusion exploit, but the programmer asked for some input on mySQL hardening in general.
0
_agx_Commented:
Well, those are two totally different things. For CF specific exploits, be sure to check http://hackmycf.com.
Though as mentioned, CF's interaction with mySQL is mostly just handing off SQL strings for execution. So securing access primarily involves securing ALL queries with cfqueryparam ie bind variables. You can also mitigate some damage by restricting the operations allowed by the CF DSN in the CF Admin. The default is "all": SELECT, UPDATE, DELETE, CREATE, GRANT etc...  but you can customize it by disabling operations not needed in your application.


As for securing mySQL itself, that's not really related to CF specifically. Perhaps some of the mySQL experts were scared off by the mention of CF? Might want to modify the question to ask about securing mySQL in general. I'll leave the specific advice about MySQL to the MySQL gurus, but there are a lot of general tips on securing mySQL, such as this one.
0
xoxomosAuthor Commented:
Thanx again.  The items in the 'this one' :-) is what i've put on the list so far and i'll be adding your comment to that.  In our case, the boss for some reason did not apply a CF patch which would have prevented that exploit.
Other hardening  mentioned elsewhere such as stored procedures, and prepared statements were not supported by mySQL way way back when he first started using mySQL so i'm not sure how i'll present those to him :-)
0
_agx_Commented:
As long as you add cfqueryparam to all query parameters - you're essentially getting the benefits of prepared statements: performance, bind variables.  PS's are what CF uses behind the scenes anyway.

> Other hardening  mentioned elsewhere such as stored procedures,

Stored procs have some advantages ie Easier to centralize permissions and db logic. It's easier to perform complex sql.  But stored procs don't offer any performance or security benefits over proper use of cfqueryparam AFAIK.

Though watch out for stored procs that use dynamic sql - notoriously insecure.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SQL Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.