Here's the use case:
I have a SaaS system that was built (dev environment) on a single box. I've moved everything to a cloud environment running Ubuntu 10.10. One server runs the application, the other runs the database. The basic idea is that the server that runs the database should only be accessible by the application and the administrator's machine, who both have correct RSA keys.
My question:
Would it be better practice to use a firewall to block access to ALL ports except MySQL, or skip firewall / iptables and just disable all other services / ports completely? Furthermore, should I run MySQL on a non-standard port? This database will hold quite sensitive information and I want to make sure I'm doing everything possible to properly safeguard it.
Thanks in advance. I've been reading here for a while but this is the first question that I've asked. I'll try to answer some as well = )
Ideally, for maximum security, you want multiple layers.
This includes such things as a firewall to block off all access to networked ports ( shorewall is quite easy to set up ), as well as using tcpwrappers ( hosts.allow / hosts.deny ) to restrict access to various daemons.
If your database server is only receiving connections from a given server ( with a static IP ), then this IP could also be used in conjunction with your standard firewall configs, tcwrapper & mysql authentication methods to additionally restrict access further to only that one server.
Some sort of secure tunnel between the servers would be ideal, blocking all access to the DB server otherwise.
Barring that, I think it's a great idea to use the firewall to filter everything unwanted and undesired, even if it seems redundant (eg. whether there is current a daemon listening on port X or not). One 'nice' thing about filtering everything (via DROP in netfilter) is that it doesn't make a simple TCP port scan quick and easy.
I also don't think it's a bad idea to change the default port for the DB, if it has to be open to the Internet. Just don't ever be under any illusions about that, alone, as a 'security measure'.
As a best practice you should both disable services that are not being used and firewall your boxes. When you do this you are applying the principle of defense in depth. You can change the default port for mysql as this may help to reduce the noise in your logs but this shouldn't be the only thing that you do.
If your database is going to contain sensitive information you should consider using encryption for that data although I am not familiar enough with MySql to know what it supports.
You should also check out the question "MySql Server Hardening" on security.se.
Hey, try it with /etc/hosts.allowed and /etc/hosts.deny
Add ALL: ALL to hosts deny but your IP and mysqld to hosts.allowed. Read more on:
http://linux.about.com/od/commands/l/blcmdl5_hostsal.htm
This is the simplest way.
Your config will look like:
/etc/hosts.allow ALL: (Your-Connecting-IP) and /etc/hosts.deny ALL: ALL
adding localhost to allowed might be a good idea tho.