This document outlines best practices for securing MySQL databases against external attacks, focusing on user management, network encryption, and data protection. It includes security best practices applicable to cloud environments, particularly AWS, and emphasizes the importance of regular updates, user roles, and strong passwords. Key components of the discussion involve securing internal vulnerabilities and implementing AWS-specific strategies to ensure database security.

1. Securing your database servers
from external attacks
Alkin Tezuysal (Sr. Technical
Manager,Percona)
David Busby (Information Security
Architect, Percona)

2. 2
Who we are?
David Busby (@icleus)
● Technical Security Evangelist
● Open Source Evangelist
● Certified Information Systems Security Professional
● Assistant Scout Leader
● Assistant Instructor computing for children
● Ju-Jitsu nidan and ex-Instructor
Alkin Tezuysal (@ask_dba)
● Open Source Database Evangelist
● Global Database Operations Expert
● Cloud Infrastructure Architect AWS
● Inspiring Technical and Strategic Leader
● Creative Team Builder
● Speaker, Mentor, and Coach
● Outdoor Enthusiast

3. 3
Agenda
● Security Common Sense
● MySQL Security
○ MySQL Passwords
○ MySQL Communication
○ MySQL Encryption
● Security Best Practices
● MySQL Security in Cloud Operators (AWS)
● Q & A

4. Database Security Best Practices
Apply Common Sense here

5. 5
Security Do’s
● Restrict access to database hosts
○ Not just to the Database service
● Create individual users, use roles MySQL 8.0
● Set a password for all users
● Remove anonymous and obsolete users
● Use up-to-date software
● Review, update, modify security policies as needed
● Always remember to secure internal before blocking
external vulnerabilities

6. 6
Password Attacks
● Weak passwords?
● Reusing old passwords?
● Leverage password validation plugin!
● Old version of MySQL those not password feature
rich?
● MySQL unsha1 attack
● MySQL hash cracking OSS (john, hashcat, etc...)

7. 7
Network Operations
● All connections must use SSL (or other encryption)
○ Performance impact is minimal versus risks
● Mysql ~>= 5.7 has SSL connection by default
○ Ensure >= 5.7.13
● Network encrypted tunnel options
○ N2N, openvpn (TLS), ssh tunnel, IPSEC,
Links:
https://www.percona.com/blog/2017/06/27/ssl-connections-in-mysql-5-7/
https://www.percona.com/blog/2017/09/19/proxysql-improves-mysql-sslconnections/
http://databaseblog.myname.nl/2017/05/mysql-and-ssltls-performance.html
https://github.com/ntop/n2n

8. 8
MySQL Data Encryption
● Disk Volume encryption
○ BitLocker, FileVault2, LUKS, eCryptFS, Veracrypt,
EBS encrypted volumes (please use KMS for
encryption keys!)
● At-rest encryption for InnoDB tablespace
● At-rest encryption for binary logs
Links:
https://dev.mysql.com/doc/refman/5.7/en/faqs-tablespace-encryption.html
https://docs.oracle.com/cd/E17952_01/mysql-5.7-en/innodb-tablespace-encryption.html
https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption.html

9. 9
Connection Overhead
https://tinyurl.com/ycldtnpkhttps://tinyurl.com/y7v7jhmo

10. Security Features by MySQL
MySQL variants

11. 11
MySQL Variants
● MySQL Community Edition 5.5 -> 8.0
● MySQL Enterprise Edition
● Percona Server 5.5 -> 5.7 -> 8.0
● MariaDB 5.5, 10.X
● Galera, Group Replication/InnoDB Cluster
● X Protocol/mysqlsh (33060) -> 8.0
Links:
https://dev.mysql.com/doc/internals/en/x-protocol.html
https://dev.mysql.com/doc/internals/en/x-protocol-authentication-authentication.html

12. 12
MySQL Security by Version
● GRANT (3.23)
● REVOKE (3.23)
● SET PASSWORD (3.23)
● SHOW GRANTS (3.23)
● DROP USER (4.1)
● SHOW PRIVILEGES (4.1)
● CREATE USER (5.0)
● RENAME USER (5.0)
● ALTER USER (5.6)
● SHOW CREATE USER (5.7)
● CREATE ROLE (8.0)
● DROP ROLE (8.0)
● SET ROLE (8.0)
● SET DEFAULT ROLE (8.0)

13. 13
Important mysql.user table
< 5.5 host user password
> 5.5 authentication_string
> 5.6 password_expired
> 5.7 account_locked password (removed)
> 8.0 create_role_priv drop_role_priv

14. 14
Security Features by MySQL Version
● 5.1 - McAfee Audit plugin
● 5.5 - pluggable authentication (MariaDB 5.2
backport), proxy users, changes in mysql.user
table, client password warning; Enterprise
provided Audit and PAM authentication (present
again in Percona Server for MySQL and
MariaDB Server)
● 5.6 - encrypted client credentials
(mysql_config_editor), sha256_password,
password expiry,
VALIDATE_PASSWORD_STRENGTH(),
--random-passwords (optional random on
install), mysql.user password_expired column;
Enterprise Firewall
● 5.7 - grep for root password on installation,
password expiry every ‘n’ days, user accounts
can be locked/unlocked, mysql_ssl_rsa_setup,
mysql.user.password removed,
super_read_only, at rest tablespace encryption
● 8.0 - roles + mysql.user changes
● Percona Server
○ MySQL 5.5 - extended SHOW GRANTS,
utility user, userstats , Audit Plugin
○ MySQL 5.6 - super_read_only
○ MySQL 5.7 - Vault plugin

15. 15
Harden your MySQL Security
● Set a password for ‘root’
● Remove all anonymous users
● Remove ‘test’ database (gone on 8.0)
● Use mysql_secure_installation where possible (5.7)
● Install (and use!) validate_password plugin (>= 5.6)
○ There are methods which circumvent this however ...
■ ... IDENTIFIED BY ‘*ABC...’ (passing the hash, allows using a weak password)
● Ensure Path of Least Privilege
○ Stop using GRANT ALL on *.*...
○ ALL includes: FILE, CREATE_ROUTINE, SUPER,
○ Allowing write on mysql.users can allow injection of credentials that will be
loaded at a later time!

16. MySQL Security in the Cloud
AWS Focused

17. 17
Pillars of AWS Security
Data Protection Privilege Management
Infrastructure
Management
Detective Controls
Security

18. 18
AWS Security Best Practices
● Know shared responsibility model
● Manage AWS Accounts, IAM / MFA Users, Groups, and Roles
● EC2 Topology management
○ VPC
● RDS MySQL
○ RDS
○ AURORA
● AWS Tools
○ CloudTrail
○ CloudWatch
○ Config

19. 19
AWS Security Best Practices
● RDS
○ Shared responsibility for container service
● EC2
○ Amazon Machine Images (AMIs)
○ Operating systems • Applications
○ Data in transit
○ Data at rest
○ Data stores
○ Credentials - Key pairs
○ Policies and configuration

20. 20
AWS Shared Responsibility Model

21. 21
AWS IAM is your friend
● Centrally manage users
● Manage security credentials
○ passwords, access keys, and permissions policies
● Beware of regions, availability zones, endpoints
● AWS API keys require strict protection
○ E.g. code pushed to Github, Bitbucket etc with keys

22. 22
In addition to IAM
● AWS Key Management Service
● AWS CloudTrail
○ Audit logging, invaluable to know what occurred and when
● AWS Maice - Data Classification Service
● AWS Trusted Advisor
○ Automated tool to get reports on security groups etc (if you spend enough)
https://aws.amazon.com/premiumsupport/ta-faqs/

23. 23
Pre-configure and harden EC2 AMI
● Disable root API access keys and secret key
● Require MFA for all IAM accounts
● Restrict access to instances from limited IP ranges using Security
Groups
● Password protect the .pem file on user machines
● Delete keys from the authorized_keys file on your instances when
someone leaves your organization or no longer requires access
● Rotate credentials (DB, Access Keys)
● Regularly run least privilege checks using IAM user Access Advisor and
IAM user Last Used Access Keys
● Use bastion hosts to enforce control and visibility

24. 24
Utilizing AWS VPC

25. 25
MySQL Data in Transit
● Web Layer
○ Encrypt data in transit using IPSec ESP and/or SSL/TLS
○ Authenticate data integrity using IPSec ESP/AH, and/or SSL/TLS
○ Use IPSec with IKE with pre-shared keys
● Database Layer
○ SSL/TLS is currently supported for connections to Amazon RDS MySQL
○ AWS provides a single self-signed certificate associated with the MySQL

26. 26
AWS Trusted Advisory Tool Checks
● Limited access to common administrative ports to only a small subset of
addresses. This includes ports 22 (SSH), 23 (Telnet) 3389 (RDP), and
5500 (VNC).
● Limited access to common database ports. This includes ports 1433
(MSSQL Server), 1434 (MSSQL Monitor), 3306 (MySQL), Oracle
(1521) and 5432 (PostgreSQL).
● IAM is configured to help ensure secure access control of AWS
resources.
● Multi-factor authentication (MFA) token is enabled to provide two-factor
authentication for the root AWS account.

27. 27
References and Credits
References:
● AWS Security Best Practices
● AIM Best Practices
● Amazon Virtual Private Cloud
Connectivity Options
● VPC Networking Components
● SSL Connections in MySQL 5.7
● ProxySQL Improves MySQL
SSL Connections
● Everything about MySQL Users
and Logins You Didn’t Know
and Were Afraid to Ask
Credits:
● Colin Charles
● Janos Ruzso
● Tibor Korocz
● Jervin Real
● Daniel van Eeden

28. Questions and Answer

29. 29
Thank You Sponsors!!

30. 30
Rate My Session