Securing MySQL with PHP by separating them

Question

I set up two servers, one for MySQL, the other one for PHP. PHP serves the user and runs on top of nginx. The second server with MySQL can only be accessed from the same IP of the PHP web server.

This way I want to put an additional barrier between a possible intruder and him being able to access critical customer data stored in the MySQL db.

However, if sb. was to break into my PHP server, he would get access to all the PHP files and thus would also be able to get through to the MySQL server because all the config files for PHP are on the PHP server.

What would be a good approach to get around this problem? I understand that this would be the worst case scenario, but still, is there are way to store my config files more securely?

Answer 1

You could encrypt the customer data with the customer's password. Neither the PHP server nor the MySQL server know that password. But you can obtain it from the customer himself. So, when the customer logs in, they will send you the password for authentication. In that brief moment, you will have the password that you can use to decrypt his data while sending it to him.

This way, if your whole site is compromised and the hacker has your code, your passwords, database access and everything, he will still be unable to read or modify the customer's data.

Answer 2

If someone was to break in in the PHP server, they would get access to the MySQL server too, but if they didn't actually break in, but only have access to the source files (because of a malfunctioning PHP or malfunctioning .htaccess) you could prevent great damage if you keep your config files and most of your source files out of your www root.

Many sites have a single entry point file from which the whole site runs. If only the entry file (usually index.php) is in de document root folder, and all included php files are moved up a folder, anyone who would be able to read files or get a directory listing, would still not see those files.

It wouldn't help if anyone actually broke in into your server, though. Best thing is to not let that happen.

Answer 3

you can try to set owner to the config.php to apache and set a mask like 0600 to this file... but if sb. can run php as apache user it won't work, I think nothing will work if sb has apache access to your server...

Answer 4

You can encrypt your PHP with IonCube or similar product which makes it extremely difficult to gain any sort of text stored within php files themselves.

After that, you connect to MySQL via SSL so the potential hacker cannot use tcpdump and see what the connection string is by listening on a network interface.

That way you hid your db credentials completely.

Answer 5

User under which PHP run needs to be able to acces database. So it is normal that if somebody gains php user rights, he will be able to access database as well.

Basic security advices then apply. Restrict access to php files only to the webserver user, and gives only needed privileges to mysql user. And, most important, don't forget to backup both website and databases.

Answer 6

I'd love to say that there is a way around this, but if PHP can access a server, then anyone who has access to the source has step-by-step instructions on how to access the other server. Restricting the machines which can access the DB is really your only hope once your PHP files are compromised.

Of course, you could also restrict read permissions on your files to http/www-dev/apache (whatever is reading your PHP), but if they've really compromised your server, there is no guarantee that they haven't gotten to these as well.