Percona Server for MySQL - Hardened SQL Database with phpMyA
durch Lynxroute
Percona Server 8.4.8 - CIS L1 hardened MySQL-compatible database on Ubuntu 24.04, SBOM + CIS
What is Percona Server for MySQL
Percona Server for MySQL is a free, open-source, drop-in replacement for MySQL Community Edition, written in C/C++ as a multi-threaded relational database server built on the InnoDB storage engine. It keeps full wire-protocol and behaviour compatibility with upstream MySQL, so existing applications, drivers, and tools connect unchanged, while adding enhanced instrumentation and performance diagnostics. It provides ACID transactions, the SQL standard, native JSON, generated columns, window functions, common table expressions, full-text and spatial indexes, stored procedures, replication, and the caching_sha2_password authentication plugin. The image bundles Percona XtraBackup for hot, non-blocking physical backups and Percona Toolkit for database operations, plus the phpMyAdmin web UI for browser-based administration. GPL-2.0 license, no vendor lock-in.
Why self-host Percona Server for MySQL
Self-hosting keeps every row of your data inside your own tenant rather than a managed service. Running the database on a VM you control suits teams with data-residency requirements, organisations operating under HIPAA, GDPR, or ISO 27001, and any product where storing customer records outside your own perimeter is not an option. You keep full control of versions, configuration, and backups, with no per-query fees.
What this VM image adds
Security hardening:
- Root password and sample database at first boot - a strong root password and a sample application database plus user are generated per instance at first boot, never a default or empty password
- Secure-installation equivalent - anonymous users and the test database are removed; the root account is restricted to localhost
- Native TLS per instance - enabled at first boot with a per-instance self-signed certificate; no shared private key is baked into the image; clients connect with --ssl-mode=REQUIRED
- VPC-internal binding - port 3306 is governed by your Network Security Group, not exposed to the internet; the X protocol (33060) is bound to localhost
- Bundled phpMyAdmin over HTTPS - served only on 443 behind an nginx TLS perimeter (per-instance self-signed certificate; swap in your own with certbot); cookie auth against Percona Server, blowfish secret generated per instance, the setup script removed
- UFW firewall - SSH on 22; 3306 and 443 governed by your Network Security Group; Azure IMDS and WireServer egress pre-configured
- fail2ban - SSH brute-force protection
- AppArmor - mandatory access control
- CVE scan - every image is scanned with Trivy before release
OS hardening (CIS Level 1):
- CIS Ubuntu 24.04 LTS Level 1 Benchmark via ansible-lockdown
- auditd for system call auditing of critical paths
- SSH hardening - PasswordAuthentication disabled, key-only access, PermitRootLogin no, LoginGraceTime 60
- Kernel hardening - SYN cookies, ASLR, rp_filter, kexec disabled, IPv6 off
- /tmp as tmpfs with nosuid, nodev, noexec
Compliance artifacts (inside the VM):
- SBOM - CycloneDX 1.6 at /etc/lynxroute/sbom.json with Percona Server pinned by version, PURL, GPL-2.0 license, and supplier
- CIS Conformance Report at /etc/lynxroute/cis-report.html (OpenSCAP, Azure tailoring profile, 0 FAIL rules)
- Tailored CIS profile at /usr/share/doc/lynxroute/CIS_TAILORED_PROFILE.md
- Operator credentials file at /root/percona-mysql-credentials.txt (mode 0600) with the root password and the sample appdb/appuser credentials
Quick Start
- Deploy VM from Azure Marketplace (Standard_D2s_v3 or larger recommended)
- Open NSG: TCP 3306 to trusted app-tier sources in the same VNet, TCP 443 to trusted admin IPs for phpMyAdmin, TCP 22 from your management IPs only
- SSH: ssh -i key.pem azureuser@<PUBLIC_IP>, then sudo cat /root/percona-mysql-credentials.txt for the root and appuser passwords
- Connect from an app server in the same VNet: mysql -h <PRIVATE_IP> -P 3306 -u appuser -p --ssl-mode=REQUIRED appdb
- Open the phpMyAdmin web UI at https://<PUBLIC_IP>/phpmyadmin/ and log in with any Percona/MySQL account (e.g. appuser); the certificate is self-signed by default
Never expose port 3306 to the public internet - keep it scoped to trusted app-tier sources in your VNet; the phpMyAdmin UI is reached only on 443 and should likewise be restricted to trusted IPs.