Skip to main content

Hardening Mysql

MySQL is the world's most used open source relational database management system (RDBMS) as of 2008 that runs as a server providing multi-user access to a number of databases.
MySQL is a popular choice of database for use in web applications, and is a central component of the widely used LAMP open source web application software stack (and other 'AMP' stacks). LAMP is an acronym for "Linux, Apache, MySQL, Perl/PHP/Python." Free-software-open source projects that require a full-featured database management system often use MySQL.

As you all known with great power  comes great responsibility :D...and malwares too ;-).So how can we make it difficult or impossible for any hacker to exploit our network by leveraging flaw in mysql running on our system??
Following tips will answer this question in depth:
Tip 1:Disable Remote Access
To restrict MySQL from opening a network socket, the following parameter should be added in the [mysqld] section of my.cnf or my.ini:
skip-networking
Another possible solution is to force MySQL to listen only to the localhost by adding the following line in the [mysqld] section of my.cnf
bind-address=127.0.0.1


Tip 2:Disable Use of local infile
In addition, in certain cases, the "LOCAL INFILE" command can be used to gain access to other files on the operating system, for instance "/etc/passwd", using the following command:
 mysql> LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE table1
Or
even simpler:
mysql> SELECT load_file("/etc/passwd")
To disable the usage of the "LOCAL INFILE" command, the following parameter should be added in the [mysqld] section of the MySQL configuration file.
set-variable=local-infile=0


Tip 3:Change Default usernames and their passwords
To rename the administrator’s username, use the rename command in the MySQL console:
 mysql> RENAME USER root TO new_user;

The MySQL "RENAME USER" command first appeared in MySQL version 5.0.2. If you use an older version of MySQL, you can use other commands to rename a user:
mysql> use mysql;
mysql> update user set user="new_user" where user="root";
mysql> flush privileges;

To change a user’s password, use the following command-line command:
mysql> SET PASSWORD FOR 'username'@'%hostname' = PASSWORD('newpass');
It is also possible to change the password using the "mysqladmin" utility:
shell> mysqladmin -u username -p password newpass


Tip 4:Remove Default database
To remove this database, use the drop command as follows:
mysql> drop database test;

Or
use the "mysqladmin" command:
shell> mysqladmin -u username -p drop test


Tip 5:Remove Anonymous accounts
The MySQL database comes with some anonymous users with blank passwords. As a result, anyone can connect to the database To check whether this is the case, do the following:
mysql> select * from mysql.user where user="";
In a secure system, no lines should be echoed back. Another way to do the same:
mysql> SHOW GRANTS FOR ''@'localhost';
mysql> SHOW GRANTS FOR ''@'myhost';
To drop such accounts use following commands
mysql> DROP USER "";
Or
mysql> use mysql;
mysql> DELETE FROM user WHERE user="";
mysql> flush privileges;


Tip 6:Lower System privileges
To protect your database, make sure that the file directory in which the MySQL database is actually stored is owned by the user "mysql" and the group "mysql".
shell>ls -l /var/lib/mysql
In addition, ensure that only the user "mysql" and "root" have access to the directory /var/lib/mysql. The mysql binaries, which reside under the /usr/bin/ directory, should be owned by "root" or the specific system "mysql" user. Other users should not have write access to these files.
shell>ls -l /usr/bin/my*


Tip 7:Lower Database Privileges
some user ids are used to access the data, such as the user id assigned to the web server to execute "select\update\insert\delete" queries and to execute stored procedures. In most cases, no other users are necessary; however, only you, as a system administrator can really know your application’s needs. Only administrator accounts need to be granted the SUPER / PROCESS /FILE privileges and access to the mysql database. Usually, it is a good idea to lower the administrator’s permissions for accessing the data. Review the privileges of the rest of the users and ensure that these are set appropriately. This can be done using the following steps.
mysql> use mysql; [Identify users]
mysql> select * from users; [List grants of all users]
mysql> show grants for ‘root’@’localhost’;
disable the usage of the "SHOW DATABASES" command, the following parameter should be added in the [mysqld] section of the /etc/mysql/my.cnf:
[mysqld]
skip-show-database


Tip 8:Enabling Logging
enable transaction logging, by adding the following line to [mysqld] section of the /etc/mysql/my.cnf file:
 [mysqld]
log =/var/log/mysql-logfile


Tip 9:Chroot Mysql
soon i ll post how to jail mysql in ubuntu.


Tip 10:Security Feature in Mysql
Cryptographic functions – AES_ENCRYPT(), AES_DESCRYPT(), DES_ENCRYPT(), DES_DECRYPT()… – Encrypting is not safe as secrets are logged by MySQL in open text: • Process list, InnoDB status, general log, error log, binary log, slow log. – Avoid doing encryption in MySQL.


Tip 11:Connection encryption


  •  Everything flows over network in open text.
  •  Needs certificates
  •  free self-signed ones are usually good too!
  •  Enabled with these options: ssl-ca, ssl-cert, ssl-key
  •  Clients have to ask for encryption!
  •  User access restrictions based on SSL

    Examples:

  •  GRANT … FOR ‘sso’@’10.0.5.%’ … REQUIRE SSL
  •  GRANT … FOR ‘sso’@’10.0.5.%’ … REQUIRE X509
  •  GRANT … FOR ‘sso’@’10.0.5.%’ … REQUIRE [ISSUER|SUBJECT] '/C=PL/L=Krakow/O=PSCE/CN=Single Sign-On Service‘



Tip 12:Remove History
To remove history of commands executed which are stored in a plain text file follow following procedure:
cat /dev/null > ~/.mysql_history

Comments

Popular posts from this blog

Install Virtual Box On Kali Rolling

If you facing problem with virtualbox installation on kali rolling edition because of its outdated kernel 4.3.0-kali1-amd64 then this post is for you only.

Step1: Install latest kernel. First search the cache for list of available ones apt-cache search linux-headers
Depending upon the list choose one from the set and install install it.
you can download kernel file using wget from ubuntu source also.
example:wget kernel.ubuntu.com/~kernel-ppa/mainline/v4.4.3-wily/linux-image-4.4.3-040403-generic_4.4.3-040403.201602251634_amd64.deb
for more refer to this post: link

Step2:
Edit the boot entry /boot/vmlinuz-(New Linux kernel Version) & /boot/initrd.img-(New Linux kernel version) in grub menu.

Before making boot entry changes be sure these files exist in the /boot directory after running install command.
In my case following new file got created in /boot folder:

1)vmlinuz-4.6.0-kali1-amd64
2)initrd.img-4.6.0-kali1-amd64

Thats all you need to do to install any virtual software on kali r…

Hacking Windows 10 UWP App: DLL Injection & common Vulnerabilities

I recently started working on  widows 10 Apps( Apps not Applications) security. Before diving deep in hacking terms lets try to understand what's new in Windows 10 UWP( Universal Platform) as compared to old Apps. Lets begin with how apps actually work on windows 10(desktop/tablet). Now windows 10 comes with a container only for running apps inside the isolated environment. By default, /APPCONTAINER(Linker Flag) is off. This option modifies an executable to indicate whether the app must be run in the appcontainer process-isolation environment. Specify /APPCONTAINER for an app that must run in the appcontainer environment—for example, a Windows Store app. (The option is set automatically in Visual Studio when you create a Windows Store app from a template.) For a desktop app, specify /APPCONTAINER:NO or just omit the option. The /APPCONTAINER option was introduced in Windows 8.
Now there is no registry entry concept for these app in the System HIVE rather they install they own hiv…

Assignment 01(Enroll TO Offensive-Security Course)

Steps 1:download the page.
2:open fc4.js in your favourite editor and add following lines in it or just replace it with vode given below.
3:then open the download html file in browser and fill the form with your email and a garbage value string.
4:thats it? it will show you the real security string??
yeah but  ...theirs another challenge waiting for you ... :D

function fc4me(srvstr) {

   if(!document.pleazfc4me.email.value || !document.pleazfc4me.securitystring.value) {
      alert("Please fill in all the required fields!");
      return false;
   }
   else {
      document.pleazfc4me.submit();
    }
   var t=hexMD5("\x74\x72\x79\x68\x61\x72\x64\x65\x72"+srvstr)
alert(t)
document.write(t)
}



Finally Got In :-)