fuþark started an interesting discussion on the possibilities of a MySQL worm ... not wanting to get embroiled in the technicalities I was struck by the sense of his suggestions for administrators securing their installations and so I've reproduced them here for future reference:
- It's obvious but probably still has to be stressed again: Disable all default accounts on any installation immediately (yes, even if those default accounts wouldn't allow for a remote connection) and follow the next rules even if you just set up a test account (yes, even if your server is currently not connected to the Internet). You never know what your server might be used for in the future and what you then might to forget to adjust.
- Use strong passwords for any account.
- Preferably also use stronger user names for your administrative accounts,
rootandadminare probably the first ones to be tried.- Disable network access to MySQL completely if you don't need it (add
skip-networkingto yourmy.cnffile).- Use the host feature of the MySQL GRANTs system to restrict any account to the source addresses it really needs.
- Never allow an administrative account (with the
SUPERprivilege or write access to themysqlsystem database) to be connected to from any remote host (%).- If your MySQL port has to be open to the Internet, always use a firewall that restricts access to it by source addresses.
No comments:
Post a Comment