mySQL Hardening

xoxomos
xoxomos used Ask the Experts™
on
I'd like some good links documenting how best to harden mySql.
We've learned we were hacked via a Cold Fusion exploit and would like to prevent future occurences.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Database Administrator
Top Expert 2005
Commented:
Might want to post this in mySQL topic area instead of MS SQL Server

Author

Commented:
Thanks.  That was from yesterday :-)
Most Valuable Expert 2015
Commented:
Why ask about MySQL hardening if it was a ColdFusion exploit? Typically, CF just passes sql strings to a database (mySQL, sql server, etc..). The usual exploit is sql injection, which applies to any web application that connects to a db, not CF specifically.

The solution is to ensure you're using <cfqueryparam> (ie bind variables) on ALL variable query parameters.  Bind variables help prevent input values like #FORM.someField# from being executed as sql commands. Thereby preventing common sql injection attacks.

With MySQL, you can also disable the execution of multiple statements in the DSN driver string. (Assuming it's not needed in your app). This will help mitigate some of the sql injections risks, but not all. So it should only be used in combination with cfqueryparam.
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Yes, we believe it was  a Cold Fusion exploit, but the programmer asked for some input on mySQL hardening in general.
Most Valuable Expert 2015

Commented:
Well, those are two totally different things. For CF specific exploits, be sure to check http://hackmycf.com.
Though as mentioned, CF's interaction with mySQL is mostly just handing off SQL strings for execution. So securing access primarily involves securing ALL queries with cfqueryparam ie bind variables. You can also mitigate some damage by restricting the operations allowed by the CF DSN in the CF Admin. The default is "all": SELECT, UPDATE, DELETE, CREATE, GRANT etc...  but you can customize it by disabling operations not needed in your application.


As for securing mySQL itself, that's not really related to CF specifically. Perhaps some of the mySQL experts were scared off by the mention of CF? Might want to modify the question to ask about securing mySQL in general. I'll leave the specific advice about MySQL to the MySQL gurus, but there are a lot of general tips on securing mySQL, such as this one.

Author

Commented:
Thanx again.  The items in the 'this one' :-) is what i've put on the list so far and i'll be adding your comment to that.  In our case, the boss for some reason did not apply a CF patch which would have prevented that exploit.
Other hardening  mentioned elsewhere such as stored procedures, and prepared statements were not supported by mySQL way way back when he first started using mySQL so i'm not sure how i'll present those to him :-)
Most Valuable Expert 2015

Commented:
As long as you add cfqueryparam to all query parameters - you're essentially getting the benefits of prepared statements: performance, bind variables.  PS's are what CF uses behind the scenes anyway.

> Other hardening  mentioned elsewhere such as stored procedures,

Stored procs have some advantages ie Easier to centralize permissions and db logic. It's easier to perform complex sql.  But stored procs don't offer any performance or security benefits over proper use of cfqueryparam AFAIK.

Though watch out for stored procs that use dynamic sql - notoriously insecure.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial