Databases Reference
In-Depth Information
Closely monitor all failed login attempts. There are numerous ways
to do this. (More on this in Chapters 4 and 12.) If you want to log
these failed attempts to the error logs, use
exec sp_configure "log
audit logon failure"
.
When running on a Windows server, remove the xp_cmdshell
extended procedure by executing
exec sp_dropextendedproc
xp_cmdshell
.
Audit that developers cannot access production instances.
Install the Sybase auditing feature and use the auditing tables in syb-
security or use other audit mechanisms. (More on this later in this
section and in Chapter 11 through 13.)
1.1.5
Hardening a MySQL environment
Of the database platforms mentioned in this chapter, MySQL is the only
open-source database platform. Being open source has advantages and dis-
advantages when dealing with security and hardening. In the long term, the
open-source community has shown that the sheer number of users and the
open sharing of information guarantees high levels of quality and therefore
fewer vulnerabilities and better security. In the short term, however, open
source means that hackers have access to the source code and can easily fig-
ure out the weaknesses of the product and how to exploit them. Regarding
MySQL, we are still in the early days, and security for MySQL is a concern.
Moreover, the new features recently introduced in version 5.0 will lead to
more security issues, and security management in version 5.0 promises to
be a challenge. A good starting point for MySQL hardening should include
at least the following:
Physically secure the server on which MySQL lives.
Use the following mysqld options:
--local-infile=0 to disable LOCAL in LOAD DATA statements
--safe-show-database to ensure that a SHOW DATABASES com-
mand only lists databases for which the user has some kind of
privilege. If you wish to be even more restrictive, use the --skip-
show-database option.
--safe-user-create ensuring that a user cannot create new users
using GRANT unless the user has INSERT privileges into
MYSQL.USER
Search WWH ::
Custom Search