Skip to content

Latest commit

 

History

History
88 lines (81 loc) · 3.63 KB

hardening.md

File metadata and controls

88 lines (81 loc) · 3.63 KB

Hardening

Linux

SSH

OpenSSH

SQL

  • Setup with mysql_secure_installation - takes care of most of this for you!
  • Set strong passwords and change default passwords
    • sudo mysqladmin password
    • Unfortunately, MySQL runs background tasks as that root user. These tasks will break once you set a password, unless you take the additional step of hard-coding the password into the /root/.my.cnf file:
    [mysqladmin]
    user = root
    password = yourpassword
    
    Make sure to restrict access to that file
    $ sudo chown root:root /root/.my.cnf
    $ sudo chmod 0600 /root/.my.cnf
    
  • Remove unnecessary users
    • Remove anonymous user
    > drop user “”@”localhost”;
    > flush privileges;
  • Only grant access to the needed databases
    > grant all privileges on mydb.* to someuser@”localhost” identified by ‘astrongpassword’;
    > flush privileges;
    • You can also grant specific privileges (select, drop, delete, etc.)
  • Enable TLS
    • Once you have valid certs, add this to my.cnf
    [mysqld]
    ssl-ca=/path/to/ca.crt
    ssl-cert=/path/to/server.crt
    ssl-key=/path/to/server.key
    
    • Also, make sure the SSL cipher suites are strong ones
  • Set connection error limit
    • Bans people after x failed login attempts
    • Edit the configuration file my.cnf and set max_connect_errors:
      • max_connect_errors = 5
  • Disable load data local infile
    • The LOAD DATA LOCAL INFILE command allows users, or an attacker, to read local files and even access other files on the operating system.
    • Edit the configuration file my.cnf and set local-infile:
      • local-infile=0
  • Disable show databases
    • Edit my.cnf and add skip-show-database to the `[mysqld]`` section:
    [mysqld]
    skip-show-database
    
  • Bind MySQL to localhost
    • Edit my.cnf:
      • bind-address = 127.0.0.1
  • Privilege hardening
    • Each application that uses MySQL should have its own user that only has limited privileges and only has access to the databases it needs to run.
    • Never use ALL TO ..
    • Never use % for a hostname
    • Application user permissions should be restrictive as possible
    • Only allow super privileges to dba accounts, and localhost
    • Never ever give users global privileges, except for root, backup user, monitoring user, replication user
    • Take extra caution when granting SUPER or FILE privileges: SUPER can modify runtime configuration and become other users, FILE allows reading or writing files as MySQL process
  • Rename root user
    RENAME USER 'root'@'localhost' TO 'foobar'@'localhost';
    FLUSH PRIVILEGES;

Tools

  • flan - Flan Scan is a lightweight network vulnerability scanner.