Harden Database Access

Databases store critical and sensitive data, making them prime targets for cyberattacks. Poorly secured databases can lead to:

✅ Data breaches – Unauthorized access to sensitive data.
✅ SQL injection attacks – Exploitation of weak authentication mechanisms.
✅ Privilege escalation – Attackers gaining full control of the database.

By securing database access, you reduce vulnerabilities, protect sensitive data, and ensure compliance with security regulations (PCI-DSS, GDPR, HIPAA).

How to Secure Database Access in Linux

1. Restrict Database Access to Specific IPs

Limiting access only to trusted IPs prevents unauthorized connections.

For MySQL/MariaDB:

• Allow connections from a specific IP (192.168.1.100):

  CREATE USER 'dbuser'@'192.168.1.100' IDENTIFIED BY 'StrongPassword';
  GRANT ALL PRIVILEGES ON database.* TO 'dbuser'@'192.168.1.100';
  FLUSH PRIVILEGES;
  

• Deny remote access by default (Only allow local connections):

  sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf
  

  Find:

  bind-address = 127.0.0.1
  

  (This ensures MySQL only listens for connections from the local machine.)

For PostgreSQL:

• Restrict connections to specific IPs:

  sudo nano /etc/postgresql/14/main/pg_hba.conf
  

  Add:

  host  all  dbuser  192.168.1.100/32  md5
  

• Ensure PostgreSQL only listens to localhost or a trusted IP:

  sudo nano /etc/postgresql/14/main/postgresql.conf
  

  Find and modify:

  listen_addresses = 'localhost, 192.168.1.100'
  

Restart MySQL or PostgreSQL for changes to take effect:

sudo systemctl restart mysql
sudo systemctl restart postgresql

2. Use Encryption for Data at Rest and In Transit

Encryption ensures that even if data is intercepted or stolen, it remains unreadable.

Encrypt Data at Rest

1. Enable Transparent Data Encryption (TDE) for MySQL (Enterprise Feature)

   ALTER TABLE sensitive_table ENCRYPTION='Y';
   

2. Encrypt PostgreSQL Data at Rest Using pgcrypto

   CREATE EXTENSION pgcrypto;
   UPDATE users SET password = pgp_sym_encrypt(password, 'encryption_key');
   

Encrypt Data in Transit

1. Enable SSL/TLS for MySQL

   sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf
   

   Add:

   require_secure_transport = ON
   

   Restart MySQL:

   sudo systemctl restart mysql
   

2. Enable SSL for PostgreSQL

   sudo nano /etc/postgresql/14/main/postgresql.conf
   

   Modify:

   ssl = on
   

   Restart PostgreSQL:

   sudo systemctl restart postgresql
   

3. Regularly Update Database Passwords and Apply the Least Privilege Principle

Use Strong and Rotating Passwords

• Change passwords every 90 days and enforce strong password policies:

  ALTER USER 'dbuser'@'192.168.1.100' IDENTIFIED BY 'NewStrongPassword!';
  

Apply the Principle of Least Privilege (PoLP) to Database Users

• Grant users only necessary permissions instead of full database access.

• Example: Allow a user to only SELECT and INSERT, but not DELETE or DROP tables:

  GRANT SELECT, INSERT ON database.* TO 'readonly_user'@'192.168.1.100';
  

4. Enable Database Logging and Auditing

To detect suspicious activity, enable query logging and access auditing.

For MySQL:

SET GLOBAL general_log = 'ON';
SET GLOBAL log_output = 'TABLE';

View logs:

SELECT * FROM mysql.general_log;

For PostgreSQL:

sudo nano /etc/postgresql/14/main/postgresql.conf

Add:

log_statement = 'all'
log_connections = on

Restart PostgreSQL:

sudo systemctl restart postgresql

5. Protect Against SQL Injection

• Use prepared statements in queries instead of directly inserting user input.

• Example of a secure SQL query in Python:

  cursor.execute("SELECT * FROM users WHERE username = %s", (username,))
  

6. Backup Databases Securely

Regular backups help recover data in case of corruption or breaches.

• Automate encrypted backups with cron jobs:

  sudo crontab -e
  

  Add:

  0 2 * * * mysqldump -u root -p'password' --all-databases | gzip > /backup/db_backup_$(date +\%F).sql.gz
  

• Store backups on a secure, offsite location.

7. Use a Firewall to Restrict Database Ports

• Allow only trusted IPs to access MySQL (Port 3306) and PostgreSQL (Port 5432):

  sudo ufw allow from 192.168.1.100 to any port 3306
  sudo ufw allow from 192.168.1.100 to any port 5432
  

• Block all other traffic:

  sudo ufw deny 3306
  sudo ufw deny 5432
  

8. Implement Intrusion Detection for Database Security

Use Fail2Ban to block repeated failed login attempts to MySQL and PostgreSQL.

Install and Configure Fail2Ban (See more information on Fail2Ban here: )

sudo apt install fail2ban -y

Create a new filter for MySQL:

sudo nano /etc/fail2ban/filter.d/mysql-auth.conf

Add:

[Definition]
failregex = ^.*Access denied for user .* from '(<HOST>)'.*$

Create a Jail Configuration:

sudo nano /etc/fail2ban/jail.local

Add:

[mysql-auth]
enabled = true
port = 3306
filter = mysql-auth
logpath = /var/log/mysql/error.log
maxretry = 5

Restart Fail2Ban:

sudo systemctl restart fail2ban

Best Practices for Database Security

✅ Disable default database accounts (DROP USER 'test'@'localhost';).
✅ Keep database software updated (sudo apt update && sudo apt upgrade -y).
✅ Encrypt sensitive data before storing it in the database.
✅ Regularly audit database access logs for suspicious activity.
✅ Test database security with penetration testing tools (e.g., SQLmap).

By hardening database access, you protect critical data from unauthorized access, prevent security breaches, and ensure compliance with best security practices.