0

We have a web app that runs in Azure and use a MySQL database, also in Azure, for its data storage. We store PII data from the various companies that use our system in this database.

The web app is written in PHP and connects to the database using a username and password. We are needing to comply with a big customers data protection requirements, and they require any access to PII data to be 2-factor authenticated.

I have no idea where to start with this or if it is even possible. Does this mean for every connection the web app makes (tens of thousands a minute), it would need to some how generate a 2-factor code as well each time??? Assuming adding 2-factor is even possible for a MySQL server??(I have looked around and can't find anything).

So my questions are:

  1. Is 2-factor possible with MySQL
  2. If not, how else can it be secured so it requires more than just a username and password to connect (that me using workbench, and our web app can do).

Thanks

asked Dec 13, 2017 at 16:19
2
  • Look up "mysql" and "PAM". Commented Dec 13, 2017 at 17:26
  • @RickJames I came across PAM but thought it was just a module that allowed you to authenticate users with other systems, such as Active Directory. How does that help with adding 2-factor? Commented Dec 14, 2017 at 9:04

1 Answer 1

0

Here are some basic security recommendations.

  1. Set complex password.
  2. Use validate_password plugin.
  3. Disable remote root login.
  4. Disallow incoming traffic apart from your app and report server.
  5. Always create users with the proper host(don't use '%').
  6. Rotate password at every month.
  7. Restrict MySQL data, log and backup directories.
  8. Try to implement SSL communication between the server and the clients.
  9. Restrict SSH access to the server where MySQL installed.
  10. Prevent my.cnf from other users.

This blog may help you to implement more security:

https://lalitvc.wordpress.com/2017/04/02/basics-of-mysql-administration-and-best-practices/

answered Dec 13, 2017 at 17:50
2
  • Thanks for these. All solid recommendations. Still only connecting with a username name and password though. Commented Dec 14, 2017 at 9:06
  • @superphonic - Yeah, but your friendly foreign hacker will be trying 'root', 'admin', etc. Commented Dec 14, 2017 at 18:08

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.