The emergence of web services has forced many companies to put online sites boosted dynamic information. This involves the setting up of database connections containing, for example, stock market indicators, stock of materials, accounting data or even contacts directories.
The 3-tier architectures, mainly used for online services, are based on three components: the client’s browser, the application server (web servers + application engine) and finally the database. Much of the security is provided by application engines, but the vulnerabilities of these, coupled with vulnerabilities that sometimes arise from development, can lead to “SQL injection” attacks. For the 먹튀검증 also you can have the best deals.
Here are some basic tips for securing your database. However, these must be accompanied by security measures for your operating system and your application engine.
Change the default password
Before eating, Scott and Tiger wash their hands. Same thing when we have completed the installation of our database: it is necessary to systematically modify the default passwords.
Tip: The CIRT site lists the default passwords for many devices and software.
Deny remote connections
To avoid the heck, we will also make sure that the database service is not exposed on a public IP address. By default, we will need to make sure that it is listening on the loopback interface (127.0.0.1) or a system socket.
Tip: If your administration is not on the same server, have the components communicate through private IP addresses without NAT to outside your network.
Delete unnecessary accounts
We will then delete the access to the data which seems useless to us: it is rather simple, we delete all the access accounts configured after the installation, except of course the main administration account.
Tip: The most paranoid among us will even push the vice up to rename the main admin account. Technique, however, has little impact on security if for example we clear ourselves of a robust password.
Delete the sample database
According to the rule “everything that does not serve us must be deleted”, we will do the same with the databases or data tables delivered to the installation to serve as examples. Be careful, not all engines come with this type of data.
Let’s be particularly attentive to the bases or tables called “system”, they contain for example the identifiers of access accounts and associated rights. A reading of the documentation of your editor is a prerequisite before deciding in the quick.
Tip: once the cleaning steps are completed, we are in possession of a “clean” configuration that is sometimes worth saving. The realization of a software package is a plus non-negligible.
Activate logs and outsource them
The activation of the log files must be a reflex of the first hour. In case of service interruption, software or hardware incidents, or intrusion into the system, the activity logs will help to better analyze the situation and take the necessary measures.
Outsourcing log files in real time (using syslog for example) is sometimes necessary to meet legal or regulatory requirements. Outsourced data must be stored in read-only mode and archived on non-rewritable media if needed.