Security Instructions for Operating a MariaDb/PostgreSQL database
In order to operate a database securely on the RRZ's MariaDb (MySQL)/PostgreSQL database server, users must pay particular attention to the following points:
- The most common mistake is to store the database password in plain text in files in a web directory (e.g., in a PHP script). Instead, store the access data for your database in variables that are assigned values in a secure location and revoke the read permission for “other” for such files or scripts.
- Only store passwords in the database in encrypted form, never in plain text. Do not use software that does not meet this requirement.
- As always, do not use passwords that are too short, too simple, or easy to guess using dictionary attacks. Mix letters, numbers, and special characters and use at least 8 characters.
- Use the RRZ's central PhpMyAdmin installation to administer your database if you want to use a graphical tool. Do not install PhpMyAdmin or similar tools yourself.
- Both MariaDb and PostgreSQL offer the option of encrypting the connection between client and server using SSL/TLS. To use encryption, the application or client configuration must be adjusted accordingly. However, even when using data transfer encryption, sensitive personal data or confidential information does not belong in a MariaDb or PostgreSQL database for web applications.
- Since MariaDB (MySQL)/PostgreSQL databases are mostly used for web applications, the security of a website is closely linked to the security of the associated database. Please note the information on web application security.
For security reasons, the RRZ has restricted access to the MariaDb (MySQL)/PostgreSQL database server to the University of Hamburg network (*.uni-hamburg.de). Since there are institutions that are part of the university but do not fall within this area due to integration into another research institution (e.g., DESY), users from these institutions cannot access the database server without consulting the RRZ. If the use of a VPN is not possible, please contact the RRZ service line to obtain activation.