MariaDB is a widely used open-source database known for its performance and scalability. However, like any database system, it is a target for hacking attempts. Whether you’re managing sensitive customer data or mission-critical applications, protecting your MariaDB instance is essential. This blog will guide you through identifying suspicious activities, stopping ongoing attacks, and preventing future breaches.

Step 1: Identify Suspicious Activity

The first step in dealing with a potential hacking attempt is to detect unusual or unauthorized activities within your MariaDB instance.

Check Active Connections

Identify all active connections to your database. Run the following query to see who is connected:

SHOW PROCESSLIST;

This will display all active sessions, including:

• User: The username of the connected client.
• Host: The IP address or hostname of the client.
• Command: The type of operation (e.g., Query, Sleep).
• Time: How long the session has been active.
• Info: The exact SQL query being executed.

Look for:

• Unknown users or IP addresses.
• Long-running queries or unusual commands.

Review Recent Queries

Enable the general query log to monitor all queries executed on the database:

SET GLOBAL general_log = 'ON';
SET GLOBAL log_output = 'TABLE';

Then, query the mysql.general_log table to inspect recent activity:

SELECT event_time, user_host, command_type, argument
FROM mysql.general_log
ORDER BY event_time DESC
LIMIT 20;

This will show what actions have been performed recently, helping you pinpoint malicious activity.

Check Error Logs

Review the MariaDB error logs for unusual connection attempts or errors, which could indicate brute-force attempts or other malicious actions.

sudo cat /var/log/mariadb/mariadb.log

Step 2: Stop the Malicious Activity

If you identify a suspicious session or activity, take immediate action to stop it.

Kill a Suspicious Connection

Terminate any unauthorized or malicious sessions using the following command:

KILL <connection_id>;

Replace <connection_id> with the ID of the connection you identified from the SHOW PROCESSLIST; query.

Lock Suspicious Users

If a specific user account has been compromised, lock it to prevent further access

UPDATE mysql.user SET account_locked = 'Y' WHERE User = '<username>';
FLUSH PRIVILEGES;

Step 3: Block Further Access

Restrict Host Access

Limit access to your MariaDB server by allowing only trusted IP addresses. Update the user’s host field:

UPDATE mysql.user SET Host = '<trusted_ip>' WHERE User = '<username>';
FLUSH PRIVILEGES;

Alternatively, use firewalls to block suspicious IPs at the operating system level:

sudo ufw deny from <suspicious_ip> to any port 3306

Enable Connection Limits

Set a maximum number of connections for a user to prevent resource exhaustion from brute-force attacks:

ALTER USER '<username>'@'%' WITH MAX_USER_CONNECTIONS 10;

Step 4: Enable Advanced Security Measures

Use Strong Passwords

Ensure all database users have strong passwords. Update weak passwords using:

ALTER USER '<username>'@'%' IDENTIFIED BY '<strong_password>';

Consider enforcing password policies by enabling the validate_password plugin:

INSTALL SONAME 'validate_password';
SET GLOBAL validate_password_policy = STRONG;

Enable SSL Connections

Encrypt connections between the database and clients using SSL to prevent data interception:

[mysqld]
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem

Restart MariaDB to apply changes:

sudo systemctl restart mariadb

Audit User Privileges

Regularly review and revoke unnecessary user privileges. To list user privileges, run:

SHOW GRANTS FOR '<username>'@'%';

To remove excessive privileges:

REVOKE ALL PRIVILEGES, GRANT OPTION FROM '<username>'@'%';

Grant only the necessary permissions:

GRANT SELECT, INSERT, UPDATE ON <database>.* TO '<username>'@'%';

Step 5: Monitor and Audit Activity

Enable Binary Logging

Enable binary logs to track all changes made to the database:

[mysqld]
log_bin=/var/log/mysql/mysql-bin.log

This allows you to trace data modifications and recover from malicious changes.

Enable MariaDB Audit Plugin

Install and enable the MariaDB audit plugin to log all database activity:

INSTALL SONAME 'server_audit';
SET GLOBAL server_audit_logging = 'ON';
SET GLOBAL server_audit_events = 'CONNECT,QUERY';

Audit logs will provide detailed insights into who accessed the database and what actions were performed.

Step 6: Implement Long-Term Security Strategies

Keep MariaDB Updated

Regularly update MariaDB to the latest version to patch vulnerabilities:

sudo apt update
sudo apt upgrade mariadb-server

Backup Your Data

Always have regular backups to recover quickly from potential breaches or data corruption. Use mysqldump or MariaDB backup tools:

mysqldump -u root -p --all-databases > backup.sql

Monitor Database Metrics

Use monitoring tools like Prometheus or Grafana to track database performance and detect anomalies.

Conclusion

Securing your MariaDB database is an ongoing process. By identifying suspicious activity, taking immediate action, and implementing long-term security measures, you can protect your data and prevent hacking attempts. Regularly audit your database, enforce strong password policies, and limit access to ensure a robust defense against cyber threats.