How to Secure MySQL/MariaDB Databases on Debian 12 Bookworm

Introduction

Securing MySQL/MariaDB databases is crucial to protect sensitive data from unauthorized access, corruption, and malicious attacks. Debian 12 Bookworm, a stable and secure Linux distribution, provides a solid foundation for database security. However, additional configurations are necessary to harden MySQL or MariaDB against potential threats. This guide will walk you through the essential steps to secure your MySQL/MariaDB database server on Debian 12 Bookworm.

1. Install MySQL/MariaDB Securely

Installing MySQL or MariaDB

Debian 12 supports both MySQL and MariaDB. By default, MariaDB is included in the official repositories, as it is a fork of MySQL with a strong focus on performance and security.

To install MariaDB, run:

sudo apt update
sudo apt install mariadb-server

To install MySQL, use:

sudo apt update
sudo apt install mysql-server

After installation, ensure that the database server is running:

sudo systemctl enable --now mariadb  # For MariaDB
sudo systemctl enable --now mysql    # For MySQL

2. Run the Secure Installation Script

Both MySQL and MariaDB provide a security script that helps configure crucial security settings:

sudo mysql_secure_installation

This interactive script will prompt you to:

• Set a strong root password.
• Remove anonymous users.
• Disable remote root login.
• Remove the test database.
• Reload privilege tables.

It is highly recommended to follow all the security recommendations presented during the script execution.

3. Configure User Authentication and Permissions

Creating a New Administrative User

Using the root user for database operations is a security risk. Instead, create a dedicated admin user:

CREATE USER 'admin_user'@'localhost' IDENTIFIED BY 'StrongPassword123';
GRANT ALL PRIVILEGES ON *.* TO 'admin_user'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;

Grant Least Privileges to Users

Follow the principle of least privilege (PoLP) by assigning only necessary permissions to users:

CREATE USER 'app_user'@'localhost' IDENTIFIED BY 'AppPassword123';
GRANT SELECT, INSERT, UPDATE, DELETE ON app_db.* TO 'app_user'@'localhost';
FLUSH PRIVILEGES;

4. Disable Remote Root Access

By default, remote root login should be disabled. However, to ensure this, check the MySQL/MariaDB configuration file:

sudo nano /etc/mysql/mariadb.conf.d/50-server.cnf  # For MariaDB
sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf       # For MySQL

Find the following line and ensure it is set correctly:

bind-address = 127.0.0.1

Then restart the database server:

sudo systemctl restart mariadb  # For MariaDB
sudo systemctl restart mysql    # For MySQL

5. Enable Firewall Rules

Use ufw to restrict access to MySQL/MariaDB:

sudo ufw allow 3306/tcp
sudo ufw enable

For remote connections, allow only specific IPs:

sudo ufw allow from 192.168.1.100 to any port 3306

Verify firewall settings:

sudo ufw status

6. Enable SSL/TLS Encryption

To encrypt connections to MySQL/MariaDB, enable SSL/TLS:

Check SSL Support

SHOW VARIABLES LIKE 'have_ssl';

Generate SSL Certificates

sudo mkdir /etc/mysql/ssl
cd /etc/mysql/ssl
sudo openssl req -newkey rsa:2048 -nodes -keyout server-key.pem -x509 -days 365 -out server-cert.pem
sudo openssl req -newkey rsa:2048 -nodes -keyout client-key.pem -x509 -days 365 -out client-cert.pem

Configure MySQL/MariaDB to Use SSL

Edit the configuration file:

sudo nano /etc/mysql/mariadb.conf.d/50-server.cnf  # For MariaDB
sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf       # For MySQL

Add or modify the following lines:

ssl-cert = /etc/mysql/ssl/server-cert.pem
ssl-key = /etc/mysql/ssl/server-key.pem
ssl-ca = /etc/mysql/ssl/client-cert.pem

Restart the database server:

sudo systemctl restart mariadb  # For MariaDB
sudo systemctl restart mysql    # For MySQL

Verify SSL is enabled:

SHOW VARIABLES LIKE 'have_ssl';

7. Regularly Update and Monitor Database Security

Keep the System and Database Updated

sudo apt update && sudo apt upgrade -y

Monitor Database Activity

Enable query logging to track suspicious activity:

general_log = 1
general_log_file = /var/log/mysql/general.log

Use Fail2Ban to Prevent Brute Force Attacks

sudo apt install fail2ban -y

Create a configuration file:

sudo nano /etc/fail2ban/jail.local

Add the following content:

[mysqld-auth]
enabled = true
filter = mysqld-auth
action = iptables[name=MySQL, port=3306, protocol=tcp]
logpath = /var/log/mysql/error.log
bantime = 600
findtime = 600
maxretry = 5

Restart Fail2Ban:

sudo systemctl restart fail2ban

Conclusion

Securing MySQL/MariaDB on Debian 12 Bookworm requires multiple layers of protection, including strong authentication, firewall rules, SSL/TLS encryption, user privilege management, and regular monitoring. By following these best practices, you can significantly reduce the risk of database breaches and ensure the integrity of your data. Always stay vigilant and keep your database system up to date for continued security.