In the second part of this series of DBA security tasks, we will continue to look at fixing mysql db users with an insecure setup.
These are not tips that you read with your morning coffee and then forget about, rather these are tasks, important tasks which you add to your project or task list and work through until they are completed, signed off if necessary.
Task 2: Remove anonymous users
The Problem:
Anonymous users allow any user from the specific host string to connect.
SQL to check:
select user,host from mysql.user where user = ''; +------+-----------+ | user | host | +------+-----------+ | | 192.168.% | +------+-----------+ 1 row in set (0.00 sec)
The Fix:
Using the previous post recommendations, all connections should connect using a specific user and if possible a specific hostname or subnet mask.
Remove anonymous users.
How to apply the fix:
- Prepare a security audit report/review.
- Present or email to stakeholders (developers, reporting users, managers)
- Prepare a maintenance plan and gain approval to change.
- Organize maintenance window with specific time and date and gain approval for change.
- Follow the maintenance plan, which will be something like this
– Announce start of maintenance window in your chat/communication channel.
– drop any anonymous users.
– Get developers or report users to test to make sure their application works
– Confirm good.
– Announce the end of the maintenance window in your chat/communication channel.
Note:
Most recent versions of MySQL, MariaDB and Percona have recognized the problem with anonymous users and they are removed if you follow the correct instructions when the database is first created. Sadly this doesn’t help if your database has been upgraded over time from much older versions.
Next time we will look at passwords… the good, the bad and the ugly,
DBA Dojo 