Database Security
- Database Security
This article details important considerations for securing the database server supporting your MediaWiki 1.40 installation. A compromised database means a compromised wiki; therefore, robust security measures are paramount. This guide is intended for newcomers to server administration and aims to provide a practical overview.
Understanding the Threat Model
Before diving into configuration, it’s crucial to understand potential threats. Common attack vectors include:
- SQL Injection: Exploiting vulnerabilities in wiki code to directly manipulate database queries. Good coding practices in MediaWiki itself largely mitigate this, but securing database access is still vital.
- Brute-Force Attacks: Attempting to guess database credentials.
- Denial of Service (DoS): Overwhelming the database server with requests, making it unavailable.
- Data Breach: Unauthorized access to sensitive wiki data (user information, content history).
- Privilege Escalation: Gaining unauthorized administrative access to the database.
Database User Permissions
The MediaWiki installation *must* connect to the database using a dedicated user account. Never use the root or administrator account for this purpose. This principle of least privilege is fundamental.
Here’s a breakdown of required permissions. Note that the specific syntax for granting these permissions varies depending on your database system (MySQL/MariaDB, PostgreSQL, etc.).
| Permission | Description | Required? |
|---|---|---|
| SELECT | Allows reading data from tables. | Yes |
| INSERT | Allows adding new data to tables. | Yes |
| UPDATE | Allows modifying existing data in tables. | Yes |
| DELETE | Allows removing data from tables. | Yes |
| CREATE | Allows creating new tables. | No (Generally discouraged) |
| ALTER | Allows modifying table structure. | No (Generally discouraged) |
| DROP | Allows deleting tables. | No (Absolutely discouraged) |
| INDEX | Allows creating and dropping indexes. | Yes |
| LOCK TABLES | Allows locking tables for concurrent access control. | Yes |
Ensure the dedicated MediaWiki user only has the *necessary* permissions. Avoid granting broad privileges like `CREATE`, `ALTER`, and especially `DROP`. Regularly review and audit these permissions. See Manual:Configuration settings for more details on database connection parameters.
Database Server Hardening
Beyond user permissions, secure the database server itself. The following table lists common hardening steps:
| Hardening Step | Description | Priority |
|---|---|---|
| Firewall Configuration | Restrict access to the database server to only the MediaWiki web server(s). Use a firewall (e.g., `iptables`, `firewalld`, cloud provider firewall rules) to enforce this. | High |
| Disable Remote Root Login | Prevent direct root login to the database server via SSH or other remote access methods. | High |
| Keep Software Updated | Regularly apply security patches and updates to the database server software. This protects against known vulnerabilities. See Manual:Upgrading MediaWiki for general upgrade advice. | High |
| Strong Password Policy | Enforce strong passwords for all database users, including the MediaWiki account. | High |
| Audit Logging | Enable comprehensive audit logging to track database activity. This helps identify and investigate potential security incidents. See Extension:Audit for audit logging within MediaWiki itself. | Medium |
| Limit Connections | Configure the database server to limit the maximum number of concurrent connections. This can help mitigate DoS attacks. | Medium |
| Secure Configuration Files | Protect database configuration files (e.g., `my.cnf` for MySQL) from unauthorized access. | Medium |
Database Encryption
Consider encrypting the database at rest and in transit.
- Encryption at Rest: Encrypting the database files on disk protects data if the server is physically compromised. Database systems like MySQL and PostgreSQL offer encryption features.
- Encryption in Transit: Using SSL/TLS to encrypt the connection between the MediaWiki server and the database server prevents eavesdropping. This is generally enabled through database server configuration and requires configuring MediaWiki to use SSL. See Manual:HTTPS for setting up HTTPS for your wiki.
The following table provides a high-level overview of encryption options for common databases:
| Database System | Encryption at Rest | Encryption in Transit |
|---|---|---|
| MySQL/MariaDB | Transparent Data Encryption (TDE), InnoDB encryption | SSL/TLS |
| PostgreSQL | Transparent Data Encryption (TDE) via extensions | SSL/TLS |
Refer to your database system’s documentation for specific instructions on configuring encryption. Ensure your MediaWiki `LocalSettings.php` file is configured to utilize the encrypted connection.
Regular Backups
While not directly a security measure, regular database backups are *essential* for disaster recovery. If a security breach occurs, a recent backup allows you to restore the wiki to a known good state.
- Backup Frequency: Daily backups are recommended, with more frequent backups (e.g., hourly) for highly active wikis.
- Backup Storage: Store backups securely, offsite if possible, and encrypted.
- Backup Verification: Regularly test your backups to ensure they can be restored successfully. See Manual:Backups for comprehensive backup strategies.
Monitoring and Alerting
Implement monitoring and alerting to detect suspicious activity.
- Database Server Monitoring: Monitor CPU usage, memory usage, disk I/O, and network traffic on the database server.
- Log Analysis: Regularly analyze database logs for errors, unusual activity, and potential security breaches.
- Alerting: Configure alerts to notify you of critical events, such as failed login attempts, high CPU usage, or suspicious database queries.
Related Pages
- Manual:Configuration settings
- Manual:HTTPS
- Manual:Upgrading MediaWiki
- Manual:Backups
- Extension:Audit
- Security policy
- Special:Listusers
- Special:Log
- Help:Contents
- MediaWiki FAQ
- Manual:Database
- Manual:Installation
- Manual:Configuration
- Administering MediaWiki
- Database schema
Intel-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Core i7-6700K/7700 Server | 64 GB DDR4, NVMe SSD 2 x 512 GB | CPU Benchmark: 8046 |
| Core i7-8700 Server | 64 GB DDR4, NVMe SSD 2x1 TB | CPU Benchmark: 13124 |
| Core i9-9900K Server | 128 GB DDR4, NVMe SSD 2 x 1 TB | CPU Benchmark: 49969 |
| Core i9-13900 Server (64GB) | 64 GB RAM, 2x2 TB NVMe SSD | |
| Core i9-13900 Server (128GB) | 128 GB RAM, 2x2 TB NVMe SSD | |
| Core i5-13500 Server (64GB) | 64 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Server (128GB) | 128 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Workstation | 64 GB DDR5 RAM, 2 NVMe SSD, NVIDIA RTX 4000 |
AMD-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Ryzen 5 3600 Server | 64 GB RAM, 2x480 GB NVMe | CPU Benchmark: 17849 |
| Ryzen 7 7700 Server | 64 GB DDR5 RAM, 2x1 TB NVMe | CPU Benchmark: 35224 |
| Ryzen 9 5950X Server | 128 GB RAM, 2x4 TB NVMe | CPU Benchmark: 46045 |
| Ryzen 9 7950X Server | 128 GB DDR5 ECC, 2x2 TB NVMe | CPU Benchmark: 63561 |
| EPYC 7502P Server (128GB/1TB) | 128 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/2TB) | 128 GB RAM, 2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/4TB) | 128 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/1TB) | 256 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/4TB) | 256 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 9454P Server | 256 GB RAM, 2x2 TB NVMe |
Order Your Dedicated Server
Configure and order your ideal server configuration
Need Assistance?
- Telegram: @powervps Servers at a discounted price
⚠️ *Note: All benchmark scores are approximate and may vary based on configuration. Server availability subject to stock.* ⚠️