distal-attribute
distal-attribute
distal-attribute
distal-attribute

Changing the Root Password

User, date Message
Written by mangolicious
5 years ago
Category: General
1 posts since Thu, 09 Jul 09
I want to make sure I don't get hacked. =p

I went to tools, and then user management and added a password, but I don't think that did it. How do I change the password to my HeidiSQL so my WoW server will not get hacked? =p
Written by ansgar
5 years ago
5045 posts since Fri, 07 Apr 06
Sure the user manager is exactly to be used for password changes and privileges stuff, sounds perfect what you did.

Additionally it's recommended to give users only the absolute minimum needed privileges, not "just everything" for an account which normally does read in one database or so.
Written by rosenfield
5 years ago
127 posts since Wed, 24 Jan 07
Changing the user name of any default users (fx "root") can provide some protection against automated scripts trying to brute force passwords as well. It's rather easy to find active user names with a timing attack, but in practice you probably won't find anyone out there that would bother.

If you look at the MySQL Internals protocol documentation, you'll see that a lot of the MySQL protocol is undocumented. Perhaps it was not as much designed as it was hacked together :-). Some of the undocumented behaviours of the protocol could easily contain security flaws. There's a couple of issues that you can find via http://bugs.mysql.com/ that has been closed as "not a bug", but which actually looks very much like they are exploitable for DoS attacks.

Long story short: you probably want to block external access to the port that MySQL listens on altogether, either with a firewall or by configuring the server to not listen on any externally reachable address (limit it to 127.0.0.1, for example).

(For other readers: If you must make it accessible, there's a couple of options. One is to hire someone to do a security review of the MySQL Server network protocol code, another is to protect it with an application-level proxy - the only one I can think of is MySQL Proxy, and I haven't looked at it, so I can't say if it's secure or not - and a third option would be to wrap all MySQL connections with SSL, using fx stunnel, and only allowing access for users that are trusted to be secure.)
 

Please login to leave a reply, or register at first.