Search: Google
 Links of the Moment: Nekochan  Apple Computers

Mysql User and the Unix Install: By now everyone should know that any service you leave running as root faces the possibility of being exploited. If not from a known exploit, then from a future exploit. Root is all powerful and should be used as little as possible. Creating a mysql user (as most of the linux RPM's do for you) is a good start to securing your mysql installation. It also lets you select where to keep the database and how to protect the associated files. Be sure that the group permissions do not open up the database files to reading by non trusted users, and be sure the mysql home directory has the kind of space you need as your databases grows. Installing mysql from source (as on Solaris) allows you to set many of these options by hand, so take the time and read the configuration files. Remember to set the mysql users shell to /bin/false or /sbin/nologin since it's not a login account. Anytime you do this and need to become that user you can %su -s /bin/tcsh mysql as root and do whatever is needed.

Mysql Database: The default mysql setup leaves some pretty big security holes which you need to close off as your first order of business. The test database that is provided is open to all users; this should be removed. Also there is a default nobody user with limited permissions, but this could be exploited since it allows any user to connect with out a password. These commands from inside a mysql client should tighten up the database.

drop database test;
use mysql;
DELETE FROM db WHERE Db like 'test%';
DELETE FROM user WHERE Host = '%';
DELETE FROM user WHERE User = '';
update user
set Password = password('NEWPASSWORD')
where user = 'root';

Basically you are deleting the test database and removing the outside accounts and removing the nobody account, then you set the root password. Now no one should be able to connect to mysql without a password. Create new databases and users as needed. Sample user grant below.

on some_db.*
to user@localhost
identified by 'password';
on some_db.*
to user@localhost
identified by password';
show grants;

  Business Information
Mike Tremaine's GPG Key
Mike Tremaine's Resume

  Security Links
Bastille - Linux Hardening
IPTables - Linux Kernel Firewalling
Nessus - Vulnerability Scanner
Nmap - Network Scanner
Ntop - Network Traffic Probe
Sans/FBI Top 20 Exploit List
Snort - Packet Sniffer

  Open Source Projects
Endian Firewall
Pix Firewall Reports

  Local Tools
San Diego Traffic (Major)
San Diego Traffic (Minor)
San Diego 4-day Tide Report