HomeTechnologyMySQL Security with ClusterControl | Severalnines

MySQL Security with ClusterControl | Severalnines

If you are an experienced MySQL DBA, you probably already know how necessary MySQL security is. For you, security comes without any question – you already secured your database instances from the get-go: as soon as you installed them. Did you?

Well, if you did not, no worries: know the fundamentals of securing MySQL and you should be on a fine path. You already know about ClusterControl which is developed by known database ninjas from all across the globe and can help solve your MySQL problems in no-time, however, when it comes to security, everything isn’t very simple.

Why Secure?

“But wait”, – you say. Why should you secure your MySQL instances in the first place? Well, there are a couple of causes why you should do that:

Controlling entry to your MySQL instances and properly assigning privileges is a fine way to forestall data breaches from the viewpoint that even if an account with less privileges would be breached, the consequences of such a breach would be way less severe than, say, a breach of an account that is a superuser.

However, MySQL security does not end with proper privilege task: the fundamentals of MySQL security also include password management and account locking, also securing your backups. In order to secure your MySQL instances, you would first need to examine what assaults goal your business the most (it would probably be SQL injection, which can be fended off by using prepared statements and not trusting user enter), then choose what kind of security measures you would need to take to fend all of the assaults off, and employ them. You would also need to think about what do you want to achieve when you suspect that your account can already be a goal of an assault.

How to Decide What to Do?

Obviously, everything sounds simpler than it is, right? Just how do you choose what measures to employ when securing your MySQL database instances? However, don’t worry:

  • Does your application closely rely on databases and users are constantly found to be executing SQL queries? Protect against SQL injection assaults – the easiest way to do that is to not belief user enter (do not forward all of the user enter straight to the database, use prepared statements when querying your database.)

  • Suspect that the primary way attackers could steal data is by logging in to your MySQL account? Use a strong password, preferably generated by a password supervisor. The reason why you should do this is simple: if your password is obtained by an attacker (that could be done via hacking into a system, then acquiring all of the data of the users), and if your password supervisor-generated password is hashed, hash cracking would be a very, very difficult task. The more complex your password is, the more difficult it will be.

  • Want to ensure that even if your account gets hacked, the attacker will do as tiny damage as possible? When assigning privileges, make use of the “should-know” scenario: that is, do not assign unnecessary privileges for users. In other words, only assign privileges that are absolutely necessary for users to do their tasks, but not more.

  • Worried that some of your representatives might set weak passwords on their MySQL accounts? Worry not – you can enable power testing of passwords by making use of the validate_password plugin: when the plugin is in use and, for example, an account is created, accounts should use secure passwords, power of which is defined by a parameter called validate_password_policy which accepts 3 values: LOW, MEDIUM, and STRONG. A value of LOW only checks passwords for length, MEDIUM checks that passwords would be comprised of lowercase, uppercase, numeric, and special characters, and a policy of STRONG defines that any password that exceeds 4 (4) characters in length should not match any phrase in a specified dictionary file.

  • Suspected that your MySQL account can be a goal of an assault? Lock the account, then investigate the incident. In this case, hold in mind that MySQL helps both ACCOUNT LOCK and ACCOUNT UNLOCK statements which can be used like so:
    ALTER USER ‘account_name’ IDENTIFIED BY ‘your_super_safe_password’ ACCOUNT LOCK;
    That’s it! Your account is now locked!

Obviously, there is more to it (check 1 of our older blog posts on MySQL security for more details), but these steps should give you a pretty fine thought of what to do.


Now MySQL security is closely related to performance and while the performance of MySQL isn’t really the primary focus of this blog post, it can be taken care of by employing ClusterControl: ClusterControl is a fully-fledged database management system that can take care of everything database-related ranging from backing up your data and monitoring & alerting, deployment & scaling, updates, configuration, performance management, etc. For example, head over to ClusterControl, and click on Performance Advisors: you will see a couple of categories including MySQL. In the MySQL category, you can make sure that the performance of your database never suffers:

MySQL Security with ClusterControl Severalnines

In the screenshot above, you can see that ClusterControl provides a couple of advisors (connections, general, and InnoDB in this case) that inform you exactly what to do to make sure that your databases stay in form and are as performant as never before.

We hope that this blog post has helped you improve the security of your MySQL database instances at least a tiny – while this blog post only provided you with the fundamentals, hold them in mind and the security of your MySQL instances should be set on a fine path.

Go to the source

Most Popular