[debian-mysql] MySQL "hardening?"
Ralf G. R. Bergs
Ralf+Debian at bergs.biz
Mon Apr 13 11:48:18 UTC 2015
Hi Otto.
On 2015-04-05 22:03 , Otto Kekäläinen wrote:
> 2015-04-04 14:54 GMT+03:00 Ralf G. R. Bergs <Ralf+Debian at bergs.biz>:
>> What I was thinking about -- and sorry for not being more specific -- is
>> "config hardening" in a way that "dangerous" features might be disabled by
>> default (e. g. might only listen on Unix domain socket and not TCP socket by
>> default, or if TCP socket is active by default the daemon might only bind to
>> the loopback interface), rate limiting and other usage restrictions
>> (ulimit?) might be enabled for the pre-defined MySQL database users or the
>> MySQL system user to prevent DoS attacks, etc.
> The my.cnf distributed in Debian (and used at the moment by both
> mysql-5.5 and mariadb-10.0) can be seen here:
> https://anonscm.debian.org/cgit/pkg-mysql/mysql-5.5.git/tree/debian/additions/my.cnf
Thanks. But I was hoping that you guys documented somewhere which
improvements (if any) you might have performed compared to the original
"factory" default config. So that I can sell this as an "extra" to our
security guys who are asking for what kind of hardening Debian do...
> Pull requests for improvements are welcomed.
If I had something to share with you I would for sure do it! But
currently I have nothing to contribute, sorry.
Kind regards,
Ralf
More information about the pkg-mysql-maint
mailing list