Routine Audit
Once everything's up and running, you shouldn't make the mistake of leaving MySQL to run without administration. If your lockdown has been sufficient you will be well protected against attackers, but it's helpful to know when someone is attempting to attack you, even if they're unsuccessful. Who knows, they might return armed with some 0-day overflow exploit and be successful the next time they try. Vigilance is key.
- Check your logs.
If you've configured the query log with the --log option, you should check it regularly to see what's been going on. Specifically, search for common SQL injection attacks and use of the load_file, infile, and outfile filesystem syntax.
It's important to check the error logs regularly as well, though they tend not to be as informative as the query log.
Remember when interacting with logs that log data can be highly sensitive; if you're importing it into some other repository (such as a database) for analysis, remember that the query log may contain usernames and passwords.
- Enumerate users and use the “show grants” statement regularly to see what privileges are granted to which users. For example:
mysql> select user, host from mysql.user; +-------+-----------+ | user | host | +-------+-----------+ | monty | % | | root | localhost | +-------+-----------+ 2 rows in set (0.00 sec) mysql> show grants for 'monty'@'%'; +-------------------------------------------------------------------------- ---------+ | Grants for monty@% | +-------------------------------------------------------------------------- ...
Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
