06. Role: Database Server

Server basis data menjalankan MySQL, PostgreSQL, MongoDB, dan Valkey (Redis alternative). Akses dibatasi pada jaringan yang telah ditentukan (LAN, Virtual Mesh, Campus Wide).

4.1 Instalasi Paket

Instal database engine sesuai kebutuhan proyek.

4.1.1 MariaDB / MySQL

sudo apt update && sudo apt install -y mariadb-server

4.1.2 PostgreSQL

sudo apt update && sudo apt install -y postgresql

4.1.3 MongoDB (v8.2)

Memerlukan repository resmi MongoDB.

curl -fsSL https://www.mongodb.org/static/pgp/server-8.2.asc | sudo gpg --dearmor -o /usr/share/keyrings/mongodb-server-8.2.gpg
echo "deb [ signed-by=/usr/share/keyrings/mongodb-server-8.2.gpg ] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/8.2 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-8.2.list
sudo apt update && sudo apt install -y mongodb-org

4.1.4 Valkey (Redis Alternative)

Valkey adalah fork open-source dari Redis yang sepenuhnya kompatibel.

sudo apt update
sudo apt install -y valkey

# Opsional: Instal paket kompatibilitas untuk symlink redis-*
sudo apt install -y valkey-redis-compat

4.2 Firewall Rules (UFW)

Akses hanya diizinkan dari jaringan internal terpercaya.

# Trusted Sources
# Protected LAN: <YOUR_PRIVATE_LAN>
# Cloudflare CGNAT (Virtual Mesh): <CLOUDFLARE_MESH_SUBNET>
# Campus Wide: <YOUR_CAMPUS_SUBNET>

# MySQL (3306)
sudo ufw allow from <YOUR_PRIVATE_LAN> to any port 3306 proto tcp
sudo ufw allow from <CLOUDFLARE_MESH_SUBNET> to any port 3306 proto tcp
sudo ufw allow from <YOUR_CAMPUS_SUBNET> to any port 3306 proto tcp

# PostgreSQL (5432)
sudo ufw allow from <YOUR_PRIVATE_LAN> to any port 5432 proto tcp
sudo ufw allow from <CLOUDFLARE_MESH_SUBNET> to any port 5432 proto tcp
sudo ufw allow from <YOUR_CAMPUS_SUBNET> to any port 5432 proto tcp

# MongoDB (27017)
sudo ufw allow from <YOUR_PRIVATE_LAN> to any port 27017 proto tcp
sudo ufw allow from <CLOUDFLARE_MESH_SUBNET> to any port 27017 proto tcp
sudo ufw allow from <YOUR_CAMPUS_SUBNET> to any port 27017 proto tcp

# Valkey/Redis (6379) - Public Access for Pub/Sub IoT
sudo ufw allow 6379/tcp

4.3 Setup Akun Admin Khusus

Setiap engine harus memiliki akun admin dengan password yang kuat untuk manajemen.

MySQL / MariaDB

CREATE USER 'dbadmin'@'localhost' IDENTIFIED BY 'PASSWORD_KUAT';
GRANT ALL PRIVILEGES ON *.* TO 'dbadmin'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;

PostgreSQL

sudo -u postgres psql -c "CREATE ROLE dbadmin WITH LOGIN SUPERUSER PASSWORD 'PASSWORD_KUAT';"

MongoDB

use admin
db.createUser({
  user: "dbadmin",
  pwd: "PASSWORD_KUAT",
  roles: [ { role: "root", db: "admin" } ]
})

Valkey

Edit /etc/valkey/valkey.conf:

user dbadmin on >PASSWORD_KUAT allkeys allchannels allcommands

4.4 Hardening & Konfigurasi Per Engine

MySQL / MariaDB

Bind Address: Pastikan mendengarkan pada interface internal (LAN/Mesh/Campus).
Least Privilege: Gunakan user aplikasi terpisah untuk akses database spesifik.

PostgreSQL

pg_hba.conf: Batasi otentikasi hanya dari CIDR internal terpercaya menggunakan scram-sha-256.

Lokasi file: /etc/postgresql/<VERSION>/main/pg_hba.conf

Tambahkan baris berikut:

# TYPE  DATABASE        USER            ADDRESS                 METHOD
# Internal LAN
host    all             all             <YOUR_PRIVATE_LAN>      scram-sha-256
# Virtual Mesh
host    all             all             <CLOUDFLARE_MESH_SUBNET> scram-sha-256
# Data Center A
host    all             all             <YOUR_DC_SUBNET_A>      scram-sha-256
# Data Center B
host    all             all             <YOUR_DC_SUBNET_B>      scram-sha-256
# Campus Wide
host    all             all             <YOUR_CAMPUS_SUBNET>    scram-sha-256

MongoDB

Authorization: Pastikan security.authorization: enabled aktif di /etc/mongod.conf.
Bind IP: Dengarkan pada IP internal yang tersedia.

Valkey (Database & Pub/Sub)

Valkey digunakan untuk dua fungsi utama:

Persistent Database: Penyimpanan key-value dengan persistensi AOF (appendonly yes).
Pub/Sub Broker: Digunakan untuk komunikasi antar service secara real-time melalui channel messaging.

4.5 Integrasi CrowdSec

CrowdSec memantau kegagalan upaya otentikasi pada database.

# Instal koleksi sesuai engine yang digunakan
sudo cscli collections install crowdsecurity/mysql
sudo cscli collections install crowdsecurity/pgsql
sudo cscli collections install crowdsecurity/mongodb

Pastikan bouncer aktif untuk menangani pemblokiran otomatis pada tingkat kernel.