My DBA is Sick - Database Security Tips for SysAdmins

Krzysztof Ksiazek

The day happened when your database administrator did not show up on the daily online standup. Shortly after you have learned that he’ll be unavailable for an unknown period of time and it is you, who will have to step in and replace him. In a series of posts we would like to explain what are the most important areas you may have to take care of while your colleague will be off. Let’s take a look at security, one of the most important pieces of puzzle in a database environment.

What’s good, most likely you are pretty much covered. Your colleague should have secured the environment and, without human intervention, the environment should stay secure. Here’s a list of things you would like to check.

Checking Passwords

It’s quite important to ensure that all of the users have a proper password defined. You do that in a couple of ways. First, you can just check in the database. For MySQL you are looking for a query like this:

mysql> SELECT host, user FROM mysql.user where authentication_string='';

+------+-----------+

| host | user      |

+------+-----------+

| %    | emptypass |

+------+-----------+

1 row in set (0.00 sec)

For PostgreSQL you may want to review your pg_hba.conf file and verify that all of the entries have an ‘md5’ authentication method.

It is quite important to ensure that the access to your database is secured.

Checking Access

All existing servers should have already been secured but it might be that you will be asked to provision new instances. If you can reuse existing scripts, playbooks or other automation tools, you would probably be good. If you’d have to provision a new server by hand, though, please keep in mind that the access to such a server should be secured. Depending on the policies in your company this may mean different things but here’s a list of steps you can take to protect your database:

  1. Do not bind to a public IP. Your database should not be exposed to the open world. Always use a private IP to bind to.
  2. Make sure you have a proper network security in place. Firewalls, ACL’s etc - block everything, allow access only to the ports you have to access.
  3. Do not use default, “official” ports. Instead of running SSH on port 22, run it on 2345. Instead of running your MySQL database on port 3306 use 3333 or any other port that you have available. It is security through obscurity, sure, but you’ll be amazed how far it can get you.

Security Patches

In a production environment you should do your best to stay on top of the security updates. Please keep in mind that it is not only a matter of database security fixes but also other packages that are installed in the system. Any service that runs on an exposed port has to be kept up to date because, if exploited, it could become an entry point to your infrastructure. If you do not have an automated patching process in place, spend some time and try to stay up to date with any security updates your distribution of choice may be publishing.

How ClusterControl Can Help With the Security of Your Database?

ClusterControl comes with a couple of features that may help you ensure your database is secured. First of all, it comes with user management. You can create new or edit existing users.

This can be used to change insecure passwords or create new passwords if the user does not have a password defined. You can also quickly check which users do have extensive privileges and, if needed, reduce them to the minimum required to perform their tasks.

Additional feature is the list of inactive users.

ClusterControl can prepare a list of accounts that have not been used to access MySQL database since its restart. This may help you to understand which accounts are inactive and, as a result, remove them to reduce the potential access paths to your database.

Another very useful feature that will help you to stay on top of the security updates are the Operational Reports. It comes with, among others, a Package Upgrade Report.

Such reports can be scheduled and executed on a regular basis. It may be delivered to one or more recipients via email. 

It creates a list of packages installed on the system, checks if the package is in the latest version and if not, you will have a notification in the report. Executing such reports on a regular basis helps to stay on top of the upgrades and keep your environment secure.

In case you would notice that the database packages have available updates, you can use another feature of ClusterControl to perform a minor version upgrade:

With a couple of clicks you can easily perform an upgrade of your MySQL or MariaDB database to the latest version, ensuring that you are protected from known security vulnerabilities.

As you can see, keeping the system secure requires several actions to be taken and it does require regular checks to stay on top of the updates. With database management platforms like ClusterControl, it becomes much easier to accomplish.

ClusterControl
The only management system you’ll ever need to take control of your open source database infrastructure.