MariaDB Security: Don't Worry About Disabling MYSQL_ENABLE_CLEARTEXT_PLUGIN
- Origin: This environment variable is specific to MySQL, not MariaDB.
- Functionality: In MySQL, it controls the ability to use the
clear_text
authentication plugin. This plugin transmits passwords in plain text, making them vulnerable to interception.
MariaDB's Approach
- Clear Text Plugin on Demand: MariaDB's client utilities (connectors) and command-line tools like
mysql
employ theclear_text
plugin only when the MariaDB server explicitly requests it. Disabling this functionality on the client side isn't necessary. - Focus on Secure Connections: MariaDB prioritizes secure connections by default, using encrypted methods like password hashing and Transport Layer Security (TLS) to protect credentials.
Why Disabling Isn't Applicable
- Dynamic Behavior: MariaDB's on-demand plugin usage makes client-side disabling irrelevant.
- Security Focus: Secure connections are the norm, so disabling clear text wouldn't enhance security.
Recommendations for Secure Connections
- Enforce TLS: Configure your MariaDB server to require TLS connections. This encrypts communication between clients and the server, safeguarding passwords and data.
- Strong Password Policies: Implement robust password policies for user accounts, including minimum length, complexity requirements, and regular rotation.
MariaDB server configuration (my.cnf):
[mysqld]
# Enable TLS connections
ssl = REQUIRE
# Optional: Provide path to server certificate and key files
# ssl_cert = /path/to/server.crt
# ssl_key = /path/to/server.key
Explanation:
ssl = REQUIRE
enforces TLS encryption for all connections.- The
#
symbol indicates comments (optional lines). - Uncomment and update
ssl_cert
andssl_key
with the paths to your server certificate and key files if you have them.
Connecting with TLS:
mysql -h localhost -u username -p --ssl
This command uses the --ssl
flag to establish a TLS-encrypted connection. Replace username
with your actual MariaDB username.
- Minimum Length: Set a minimum length requirement for passwords (e.g., 12 characters).
- Complexity: Enforce a combination of uppercase, lowercase, numbers, and special characters.
- Password Expiration: Regularly require users to change their passwords (e.g., every 3 months).
- Password History: Prevent reuse of recently used passwords.
- Account Lockout: Implement account lockout after a certain number of failed login attempts to prevent brute-force attacks.
These policies can be configured using MariaDB user management tools or by modifying the GRANT
statement for specific users.
Use Authentication Plugins:
- While the
clear_text
plugin is not recommended, MariaDB supports other authentication plugins that offer additional security features. Popular options include:sha256_password
: Uses a stronger hashing algorithm for password storage.caching_sha2_password
: Provides caching for password validation, improving performance while maintaining security.mysql_native_password
: Compatible with traditional MySQL authentication methods.
- You can configure the plugin used for a specific user by modifying the
GRANT
statement or using user management tools.
Network Access Control (NAC):
- Implement network-level restrictions to control access to the MariaDB server from authorized IP addresses or subnets. This can be achieved using firewalls or other network security solutions.
Monitor for Suspicious Activity:
- Regularly review server logs for failed login attempts, unusual access patterns, or other potential security incidents. Tools like fail2ban can be used to automate some of this monitoring.
Keep MariaDB Updated:
- Regularly update MariaDB to the latest version to benefit from security fixes and improvements.
mariadb