Skip to main content

Hardening Mysql

MySQL is the world's most used open source relational database management system (RDBMS) as of 2008 that runs as a server providing multi-user access to a number of databases.
MySQL is a popular choice of database for use in web applications, and is a central component of the widely used LAMP open source web application software stack (and other 'AMP' stacks). LAMP is an acronym for "Linux, Apache, MySQL, Perl/PHP/Python." Free-software-open source projects that require a full-featured database management system often use MySQL.

As you all known with great power  comes great responsibility :D...and malwares too ;-).So how can we make it difficult or impossible for any hacker to exploit our network by leveraging flaw in mysql running on our system??
Following tips will answer this question in depth:
Tip 1:Disable Remote Access
To restrict MySQL from opening a network socket, the following parameter should be added in the [mysqld] section of my.cnf or my.ini:
skip-networking
Another possible solution is to force MySQL to listen only to the localhost by adding the following line in the [mysqld] section of my.cnf
bind-address=127.0.0.1


Tip 2:Disable Use of local infile
In addition, in certain cases, the "LOCAL INFILE" command can be used to gain access to other files on the operating system, for instance "/etc/passwd", using the following command:
 mysql> LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE table1
Or
even simpler:
mysql> SELECT load_file("/etc/passwd")
To disable the usage of the "LOCAL INFILE" command, the following parameter should be added in the [mysqld] section of the MySQL configuration file.
set-variable=local-infile=0


Tip 3:Change Default usernames and their passwords
To rename the administrator’s username, use the rename command in the MySQL console:
 mysql> RENAME USER root TO new_user;

The MySQL "RENAME USER" command first appeared in MySQL version 5.0.2. If you use an older version of MySQL, you can use other commands to rename a user:
mysql> use mysql;
mysql> update user set user="new_user" where user="root";
mysql> flush privileges;

To change a user’s password, use the following command-line command:
mysql> SET PASSWORD FOR 'username'@'%hostname' = PASSWORD('newpass');
It is also possible to change the password using the "mysqladmin" utility:
shell> mysqladmin -u username -p password newpass


Tip 4:Remove Default database
To remove this database, use the drop command as follows:
mysql> drop database test;

Or
use the "mysqladmin" command:
shell> mysqladmin -u username -p drop test


Tip 5:Remove Anonymous accounts
The MySQL database comes with some anonymous users with blank passwords. As a result, anyone can connect to the database To check whether this is the case, do the following:
mysql> select * from mysql.user where user="";
In a secure system, no lines should be echoed back. Another way to do the same:
mysql> SHOW GRANTS FOR ''@'localhost';
mysql> SHOW GRANTS FOR ''@'myhost';
To drop such accounts use following commands
mysql> DROP USER "";
Or
mysql> use mysql;
mysql> DELETE FROM user WHERE user="";
mysql> flush privileges;


Tip 6:Lower System privileges
To protect your database, make sure that the file directory in which the MySQL database is actually stored is owned by the user "mysql" and the group "mysql".
shell>ls -l /var/lib/mysql
In addition, ensure that only the user "mysql" and "root" have access to the directory /var/lib/mysql. The mysql binaries, which reside under the /usr/bin/ directory, should be owned by "root" or the specific system "mysql" user. Other users should not have write access to these files.
shell>ls -l /usr/bin/my*


Tip 7:Lower Database Privileges
some user ids are used to access the data, such as the user id assigned to the web server to execute "select\update\insert\delete" queries and to execute stored procedures. In most cases, no other users are necessary; however, only you, as a system administrator can really know your application’s needs. Only administrator accounts need to be granted the SUPER / PROCESS /FILE privileges and access to the mysql database. Usually, it is a good idea to lower the administrator’s permissions for accessing the data. Review the privileges of the rest of the users and ensure that these are set appropriately. This can be done using the following steps.
mysql> use mysql; [Identify users]
mysql> select * from users; [List grants of all users]
mysql> show grants for ‘root’@’localhost’;
disable the usage of the "SHOW DATABASES" command, the following parameter should be added in the [mysqld] section of the /etc/mysql/my.cnf:
[mysqld]
skip-show-database


Tip 8:Enabling Logging
enable transaction logging, by adding the following line to [mysqld] section of the /etc/mysql/my.cnf file:
 [mysqld]
log =/var/log/mysql-logfile


Tip 9:Chroot Mysql
soon i ll post how to jail mysql in ubuntu.


Tip 10:Security Feature in Mysql
Cryptographic functions – AES_ENCRYPT(), AES_DESCRYPT(), DES_ENCRYPT(), DES_DECRYPT()… – Encrypting is not safe as secrets are logged by MySQL in open text: • Process list, InnoDB status, general log, error log, binary log, slow log. – Avoid doing encryption in MySQL.


Tip 11:Connection encryption


  •  Everything flows over network in open text.
  •  Needs certificates
  •  free self-signed ones are usually good too!
  •  Enabled with these options: ssl-ca, ssl-cert, ssl-key
  •  Clients have to ask for encryption!
  •  User access restrictions based on SSL

    Examples:

  •  GRANT … FOR ‘sso’@’10.0.5.%’ … REQUIRE SSL
  •  GRANT … FOR ‘sso’@’10.0.5.%’ … REQUIRE X509
  •  GRANT … FOR ‘sso’@’10.0.5.%’ … REQUIRE [ISSUER|SUBJECT] '/C=PL/L=Krakow/O=PSCE/CN=Single Sign-On Service‘



Tip 12:Remove History
To remove history of commands executed which are stored in a plain text file follow following procedure:
cat /dev/null > ~/.mysql_history

Comments

Popular posts from this blog

Hacking Windows 10 UWP App: DLL Injection & common Vulnerabilities

I recently started working on  widows 10 Apps( Apps not Applications) security. Before diving deep in hacking terms lets try to understand what's new in Windows 10 UWP( Universal Platform) as compared to old Apps. Lets begin with how apps actually work on windows 10(desktop/tablet). Now windows 10 comes with a container only for running apps inside the isolated environment. By default, /APPCONTAINER(Linker Flag) is off. This option modifies an executable to indicate whether the app must be run in the appcontainer process-isolation environment. Specify /APPCONTAINER for an app that must run in the appcontainer environment—for example, a Windows Store app. (The option is set automatically in Visual Studio when you create a Windows Store app from a template.) For a desktop app, specify /APPCONTAINER:NO or just omit the option. The /APPCONTAINER option was introduced in Windows 8. Now there is no registry entry concept for these app in the System HIVE rather they install they own hiv...

Installing vmware-11.0 on Ubuntu 15.04 Using kernel Patch

curl http://pastie.org/pastes/9934018/download -o /tmp/vmnet-3.19.patch cd /usr/lib/vmware/modules/source tar -xf vmnet.tar patch -p0 -i /tmp/vmnet-3.19.patch tar -cf vmnet.tar vmnet-only rm -r *-only vmware-modconfig --console --install-all References: http://askubuntu.com/questions/605530/vmware-player-7-1-0-on-ubuntu-15-04-kernel-3-19-0-10-generic-app-loading http://askubuntu.com/questions/617704/failed-to-build-vmnet-for-kernel-3-19

SSI Injection Attack

SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the web server analyzes SSI before supplying the page to the user. The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields. It is possible to check if the application is properly validating input fields data by inserting characters that are used in SSI directives, like:  Code: < ! # = / . " - > and [a-zA-Z0-9] Another way to discover if the application is vulnerable is to verify the presence of pages with extension .stm, .shtm and .shtml. However, the lack of these type of pages does not mean that th...