• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 379
  • Last Modified:

mySQL Hardening

I'd like some good links documenting how best to harden mySql.
We've learned we were hacked via a Cold Fusion exploit and would like to prevent future occurences.
0
xoxomos
Asked:
xoxomos
  • 3
  • 3
2 Solutions
 
Brian CroweCommented:
Might want to post this in mySQL topic area instead of MS SQL Server
0
 
xoxomosAuthor Commented:
Thanks.  That was from yesterday :-)
0
 
_agx_Commented:
Why ask about MySQL hardening if it was a ColdFusion exploit? Typically, CF just passes sql strings to a database (mySQL, sql server, etc..). The usual exploit is sql injection, which applies to any web application that connects to a db, not CF specifically.

The solution is to ensure you're using <cfqueryparam> (ie bind variables) on ALL variable query parameters.  Bind variables help prevent input values like #FORM.someField# from being executed as sql commands. Thereby preventing common sql injection attacks.

With MySQL, you can also disable the execution of multiple statements in the DSN driver string. (Assuming it's not needed in your app). This will help mitigate some of the sql injections risks, but not all. So it should only be used in combination with cfqueryparam.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
xoxomosAuthor Commented:
Yes, we believe it was  a Cold Fusion exploit, but the programmer asked for some input on mySQL hardening in general.
0
 
_agx_Commented:
Well, those are two totally different things. For CF specific exploits, be sure to check http://hackmycf.com.
Though as mentioned, CF's interaction with mySQL is mostly just handing off SQL strings for execution. So securing access primarily involves securing ALL queries with cfqueryparam ie bind variables. You can also mitigate some damage by restricting the operations allowed by the CF DSN in the CF Admin. The default is "all": SELECT, UPDATE, DELETE, CREATE, GRANT etc...  but you can customize it by disabling operations not needed in your application.


As for securing mySQL itself, that's not really related to CF specifically. Perhaps some of the mySQL experts were scared off by the mention of CF? Might want to modify the question to ask about securing mySQL in general. I'll leave the specific advice about MySQL to the MySQL gurus, but there are a lot of general tips on securing mySQL, such as this one.
0
 
xoxomosAuthor Commented:
Thanx again.  The items in the 'this one' :-) is what i've put on the list so far and i'll be adding your comment to that.  In our case, the boss for some reason did not apply a CF patch which would have prevented that exploit.
Other hardening  mentioned elsewhere such as stored procedures, and prepared statements were not supported by mySQL way way back when he first started using mySQL so i'm not sure how i'll present those to him :-)
0
 
_agx_Commented:
As long as you add cfqueryparam to all query parameters - you're essentially getting the benefits of prepared statements: performance, bind variables.  PS's are what CF uses behind the scenes anyway.

> Other hardening  mentioned elsewhere such as stored procedures,

Stored procs have some advantages ie Easier to centralize permissions and db logic. It's easier to perform complex sql.  But stored procs don't offer any performance or security benefits over proper use of cfqueryparam AFAIK.

Though watch out for stored procs that use dynamic sql - notoriously insecure.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now