I have always been a friend of good practices, much more if they help us to maintain the security of our servers, services, or simply our information.
A habit (bad habit) that many administrators or users have is to use access with root for all databases, that is ... they install a site using the WordPress CMS, and as access data to the database (for WP to use the MySQL server and use its DB) they put the MySQL server administration user : root
Also, they install any other web application (a chat, paste, forum, etc) and do the same, they always use the root user of MySQL ...
MISTAKE!!!
This is simply a fatal habit.
Suppose we have the following services on a server:
- A site or portal using WordPress.
- Our support forum, talks, etc ... a whole community.
- An FTP that uses a MySQL database to store users and passwords.
- The email users are stored (users and passwords) in a MySQL database.
- A small WebChat that we install to chat with someone you know.
And in all of them, in the 5 services we use the MySQL root user so that each service accesses and saves the data in its corresponding database.
One fine day, any of the many troll out there, but this is not only a troll, but it also masters some exploits, vulnerabilities, hacking, etc ... decides to do something harmful to us.
Find a bug in the WebChat that we are using, taking advantage of this bug, it manages to access WebChat files, including the WebChat configuration file, and… in this file, obviously, is the username and password that the WebChat uses to access the MySQL server, and guess what? … It is nothing more and nothing less the ROOT USER!
By getting this information, in a very simple way the troll can:
- Delete us and / or steal everything related to the site or portal that we have (WordPress).
- You can delete and / or steal information from us AND from our users who use the Forum, the community we create.
- You can also steal the username and password of ALL users who have an email account on our server, as well as steal the information from their emails, impersonate, etc.
- And now finally, you can use an account on our FTP server, and upload any file that contains malware, which would allow you to gain ABSOLUTE and TOTAL control of our server.
Well ... what do you think? … 🙂
Do you see everything that can happen just by not creating independent users for each database we have?
This is NOT an exaggeration friends, this can happen with amazing ease ... well, all that is needed to unleash the catastrophe is just a bug in some of the web applications that you have installed.
Now…
How to create separate MySQL users for each web application?
First we must enter the MySQL server with the root user, since he is the one who has the privileges to create databases, establish permissions, create users, etc:
mysql -u root -p
When they write the above and press [enter] they will be asked for the password of the root user of MySQL, they write it and press [enter] again, you will instantly be shown something like this:
Now we will create a database named «webchatdb«:
CREATE DATABASE webchatdb;
Ready, you have already created the database, now let's create the user «webchatuser«With the password«passworddelputowebchat«:
CREATE USER 'webchatuser'@'localhost' IDENTIFIED BY 'passworddelputowebchat';
Now the magic ... we will give all the privileges (read and write) to webchatuser ONLY in the DB webchatdb:
GRANT ALL PRIVILEGES ON webchatdb.* TO 'webchatuser'@'localhost' WITH GRANT OPTION;
And voila, the user already has the permissions in that database ... now all that remains is to refresh the permissions to MySQL, that is, tell MySQL to re-read the privileges of the users because we have just made a change in them:
FLUSH PRIVILEGES ;
I leave you a screenshot:
And this has been everything. By doing this for each web application that we use, we guarantee that in case they manage to breach one of those web applications, the others will be safe (at least from the MySQL point of view)
What is a good practice? 😉
I hope it has been as useful to you as it is to me, because I tried to explain it as simply as I could.
regards
Good post KZKG, if it were in the forum I would ask for a sticky!
Thank you
The password you set for the webchat is good, another thing that has to do with mysql is the use of its memory
Hehehe, thanks for reminding me of the MySQL commands. Now let's see if "I put some security" on the World of Warcraft server database that I have on my LAN.
my knowledge on this is nil, but it is almost the same for when using MySQL for Amarok?
CREATE DATABASE amarokdb;
GRANT ALL PRIVILEGES ON amarokdb. * TO 'amarokuser' IDENTIFIED BY 'password'; FLUSH PRIVILEGES;
I haven't used Amarok for a long, long time, but if you use a DB that is MySQL, in theory it should work that way too.
Hello, it would be good if you created an entry for security against web servers in Linux, many of them do not have the proper security and the administrator of the same is not properly an expert, they only facilitate things, for example the use of symlink in the servers allows reading the configuration files of other accounts on the same server many administrators are unaware of this and that is why website defaces proliferate
regards
Hello there,
Welcome to the site 🙂
Actually I do not consider myself by far an expert in this matter, but I will try to contribute the little knowledge that I have been acquiring over the years 🙂
Another thing that not many network administrators do, is give privileges to sites with apache individually, that is, the user and group www-data (or similar), which is a different one for each site, and in turn cage each one of these.
regards
Good tip
regards
Thank you
I HATE the look of your terminal, the background letters take me out of my concentration. You are a fucking crazy xD
Outside of that, it's interesting because I've seen pathetic cases of service outages from those things.
Now, not only does it depend on that, the security lies in how the database was built, a teacher explained to me, but I'm not very immersed yet in the DB ... we should mess with MongoDB = D one of these days
just that happened to me today with my rented server
I followed your steps, I went to cpanel and look for the MYSQL database and it tells me that it is out of order.
I do not know how to enter now under the root user
I am a neophyte in this, but reading here you learn a lot, I hope you guide me to access
Hello
What you have is a Hosting (SharedHosting) or a VPS (virtual server)?
If you have a Hosting and not a VPS, then you should see if your Hosting has SSH access (contact the technical support of the company that sold you the hosting and ask them how to access via SSH), once you enter through SSH, the user will NOT be root, but you must use the user you entered when you installed that web application.
Actually yours is a complicated topic, because the variants and possibilities are sooooo many, I recommend that you open a new topic in our forum, there it will be more comfortable to help you - » http://foro.desdelinux.net
regards
Good,
I understand that it is good practice not to give all privileges to any user except root. However, since I installed phpmyadmin a new user "phpmyadmin" has been created with all privileges. It seems logical that this should be the case, since it is only a graphical version to manage the databases in MySQL. Anyway I would like to make sure if it is fine as it is or should I make some modification in the privileges of the user "phpmyadmin".
Greetings and thank you!
Excellent…
I am one of those who do everything with root, but you have opened my eyes friend ..
Thanks a lot…