How to secure our MySQL server

[DavidRock]

We are quickly approaching the time when we will deploy our new website which uses PHP and MySQL to store sensitive data. Based on feedback we've received it was decided that we should seperate the db server from the rest of the site, which is currently hosted entirely at a public ISP. We will likely use FreeBSD as the OS on our MySQL server box. What do we need to do to secure this MySQL server from intrusions? From talking to others it seems I need some type of firewall or "reverse proxying" but I still need to learn more. I'm hoping the experienced people here can give me a push in the right direction.

Thanks,
David Rock

 

[SgtB]

Setup an internal firewall that only allows access to sql to and from (or whatever direction you need to go) the webserver. Deny all other protocols. Set up and IDS before and after this internal firewall to alert you to attempts made on the sql server, and any attacks the may have penetrated your firewall.
I'm not too sure what ports/protocols sql uses, but those are the only ones you should be allowing. The only source/destination in your firewall config should be the webserver. So make sure your webserver is nice and secure too!
Thats just the general setup I'd use.

Hope this helps!

 

[SgtB]

A quick link on reverse-proxying. Might help you out a bit.

http://developer.netscape.com/docs/manuals/proxy/adminux/revpxy.htm