If your databases are attacked, you may face threats such as brute force attacks, information leakage, and malicious command execution, which can cause business losses. Cloud Firewall can defend against these threats to enhance the security of your databases. This topic describes the best practices for database security defense.
Requirements for database security defense
A database is a system for an enterprise to manage and store data resources. A database stores large amounts of valuable and sensitive data. As a result, databases become the primary target of attacks. Database security is vital to normal business operations and the growth of enterprises.
Databases may face the following major security threats:
Brute-force attacks
Brute-force attacks directly cause databases to be compromised.
Database application vulnerabilities
For example, Common Vulnerabilities and Exposures (CVE) of databases may cause denial-of-service (DoS) attacks on database applications, malicious command execution, or data breaches.
Malicious command execution and file reading or writing
For example, attackers call high-risk stored procedures or functions, which may cause malicious command execution and file reading or writing.
Data theft and breaches
Attackers sell stolen data or defraud others, which results in economic loss.
Solution provided by Cloud Firewall
The intrusion prevention feature of Cloud Firewall can defend against intrusions into the following types of self-managed databases hosted on Elastic Compute Service (ECS) instances:
MySQL
Microsoft SQL Server
Redis
PostgreSQL
Memcache
MongoDB
Oracle
How to use Cloud Firewall to prevent intrusions to databases
To ensure the normal running of a database, Cloud Firewall provides multi-point prevention against all the risks that the database faces.
Brute-force attacks
Threat intelligence: The threat intelligence feature of Cloud Firewall can detect network-wide attacks and block scans or intrusions in advance.
Database application vulnerabilities
Virtual patching: The virtual patching feature of Cloud Firewall prevents the high-risk application vulnerabilities of databases.
Malicious command execution and file reading or writing
Basic protection: The basic protection feature of Cloud Firewall blocks malicious operations in real time. The operations include system file operations, webshell writing, and the call of stored procedures or user-defined functions (UDFs).
Data theft and breaches
High-risk SQL blocking: The basic protection feature of Cloud Firewall blocks data breach operations in real time to prevent data from being stolen.
Procedure
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the Internet Border tab of the IPS Configuration page, select Blocking Mode - Loose for Block Mode in the Threat Engine Mode section. 
Turn on Threat Intelligence in the Threat Intelligence section.
Turn on Basic Rules in the Basic Protection section.
Turn on Virtual Patching in the Virtual Patching section.
For more information about how to configure intrusion prevention policies, see IPS configuration.
Elastic Compute Service (ECS)
Container Compute Service (ACS)
