MySQL is the world's most used open source relational database management system (RDBMS) as of 2008 that runs as a server providing multi-user access to a number of databases.
MySQL is a popular choice of database for use in web applications, and is a central component of the widely used LAMP open source web application software stack (and other 'AMP' stacks). LAMP is an acronym for "Linux, Apache, MySQL, Perl/PHP/Python." Free-software-open source projects that require a full-featured database management system often use MySQL.
As you all known with great power comes great responsibility :D...and malwares too ;-).So how can we make it difficult or impossible for any hacker to exploit our network by leveraging flaw in mysql running on our system??
Following tips will answer this question in depth:
Tip 1:Disable Remote Access
To restrict MySQL from opening a network socket, the following parameter should be added in the [mysqld] section of my.cnf or my.ini:
skip-networking
Another possible solution is to force MySQL to listen only to the localhost by adding the following line in the [mysqld] section of my.cnf
bind-address=127.0.0.1
Tip 2:Disable Use of local infile
In addition, in certain cases, the "LOCAL INFILE" command can be used to gain access to other files on the operating system, for instance "/etc/passwd", using the following command:
mysql> LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE table1
Or
even simpler:
mysql> SELECT load_file("/etc/passwd")
To disable the usage of the "LOCAL INFILE" command, the following parameter should be added in the [mysqld] section of the MySQL configuration file.
set-variable=local-infile=0
Tip 3:Change Default usernames and their passwords
To rename the administrator’s username, use the rename command in the MySQL console:
mysql> RENAME USER root TO new_user;
The MySQL "RENAME USER" command first appeared in MySQL version 5.0.2. If you use an older version of MySQL, you can use other commands to rename a user:
mysql> use mysql;
mysql> update user set user="new_user" where user="root";
mysql> flush privileges;
To change a user’s password, use the following command-line command:
mysql> SET PASSWORD FOR 'username'@'%hostname' = PASSWORD('newpass');
It is also possible to change the password using the "mysqladmin" utility:
shell> mysqladmin -u username -p password newpass
Tip 4:Remove Default database
To remove this database, use the drop command as follows:
mysql> drop database test;
Or
use the "mysqladmin" command:
shell> mysqladmin -u username -p drop test
Tip 5:Remove Anonymous accounts
The MySQL database comes with some anonymous users with blank passwords. As a result, anyone can connect to the database To check whether this is the case, do the following:
mysql> select * from mysql.user where user="";
In a secure system, no lines should be echoed back. Another way to do the same:
mysql> SHOW GRANTS FOR ''@'localhost';
mysql> SHOW GRANTS FOR ''@'myhost';
To drop such accounts use following commands
mysql> DROP USER "";
Or
mysql> use mysql;
mysql> DELETE FROM user WHERE user="";
mysql> flush privileges;
Tip 6:Lower System privileges
To protect your database, make sure that the file directory in which the MySQL database is actually stored is owned by the user "mysql" and the group "mysql".
shell>ls -l /var/lib/mysql
In addition, ensure that only the user "mysql" and "root" have access to the directory /var/lib/mysql. The mysql binaries, which reside under the /usr/bin/ directory, should be owned by "root" or the specific system "mysql" user. Other users should not have write access to these files.
shell>ls -l /usr/bin/my*
Tip 7:Lower Database Privileges
some user ids are used to access the data, such as the user id assigned to the web server to execute "select\update\insert\delete" queries and to execute stored procedures. In most cases, no other users are necessary; however, only you, as a system administrator can really know your application’s needs. Only administrator accounts need to be granted the SUPER / PROCESS /FILE privileges and access to the mysql database. Usually, it is a good idea to lower the administrator’s permissions for accessing the data. Review the privileges of the rest of the users and ensure that these are set appropriately. This can be done using the following steps.
mysql> use mysql; [Identify users]
mysql> select * from users; [List grants of all users]
mysql> show grants for ‘root’@’localhost’;
disable the usage of the "SHOW DATABASES" command, the following parameter should be added in the [mysqld] section of the /etc/mysql/my.cnf:
[mysqld]
skip-show-database
Tip 8:Enabling Logging
enable transaction logging, by adding the following line to [mysqld] section of the /etc/mysql/my.cnf file:
[mysqld]
log =/var/log/mysql-logfile
Tip 9:Chroot Mysql
soon i ll post how to jail mysql in ubuntu.
Tip 10:Security Feature in Mysql
Cryptographic functions – AES_ENCRYPT(), AES_DESCRYPT(), DES_ENCRYPT(), DES_DECRYPT()… – Encrypting is not safe as secrets are logged by MySQL in open text: • Process list, InnoDB status, general log, error log, binary log, slow log. – Avoid doing encryption in MySQL.
Tip 11:Connection encryption
Tip 12:Remove History
To remove history of commands executed which are stored in a plain text file follow following procedure:
cat /dev/null > ~/.mysql_history
MySQL is a popular choice of database for use in web applications, and is a central component of the widely used LAMP open source web application software stack (and other 'AMP' stacks). LAMP is an acronym for "Linux, Apache, MySQL, Perl/PHP/Python." Free-software-open source projects that require a full-featured database management system often use MySQL.
As you all known with great power comes great responsibility :D...and malwares too ;-).So how can we make it difficult or impossible for any hacker to exploit our network by leveraging flaw in mysql running on our system??
Following tips will answer this question in depth:
Tip 1:Disable Remote Access
To restrict MySQL from opening a network socket, the following parameter should be added in the [mysqld] section of my.cnf or my.ini:
skip-networking
Another possible solution is to force MySQL to listen only to the localhost by adding the following line in the [mysqld] section of my.cnf
bind-address=127.0.0.1
Tip 2:Disable Use of local infile
In addition, in certain cases, the "LOCAL INFILE" command can be used to gain access to other files on the operating system, for instance "/etc/passwd", using the following command:
mysql> LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE table1
Or
even simpler:
mysql> SELECT load_file("/etc/passwd")
To disable the usage of the "LOCAL INFILE" command, the following parameter should be added in the [mysqld] section of the MySQL configuration file.
set-variable=local-infile=0
Tip 3:Change Default usernames and their passwords
To rename the administrator’s username, use the rename command in the MySQL console:
mysql> RENAME USER root TO new_user;
The MySQL "RENAME USER" command first appeared in MySQL version 5.0.2. If you use an older version of MySQL, you can use other commands to rename a user:
mysql> use mysql;
mysql> update user set user="new_user" where user="root";
mysql> flush privileges;
To change a user’s password, use the following command-line command:
mysql> SET PASSWORD FOR 'username'@'%hostname' = PASSWORD('newpass');
It is also possible to change the password using the "mysqladmin" utility:
shell> mysqladmin -u username -p password newpass
Tip 4:Remove Default database
To remove this database, use the drop command as follows:
mysql> drop database test;
Or
use the "mysqladmin" command:
shell> mysqladmin -u username -p drop test
Tip 5:Remove Anonymous accounts
The MySQL database comes with some anonymous users with blank passwords. As a result, anyone can connect to the database To check whether this is the case, do the following:
mysql> select * from mysql.user where user="";
In a secure system, no lines should be echoed back. Another way to do the same:
mysql> SHOW GRANTS FOR ''@'localhost';
mysql> SHOW GRANTS FOR ''@'myhost';
To drop such accounts use following commands
mysql> DROP USER "";
Or
mysql> use mysql;
mysql> DELETE FROM user WHERE user="";
mysql> flush privileges;
Tip 6:Lower System privileges
To protect your database, make sure that the file directory in which the MySQL database is actually stored is owned by the user "mysql" and the group "mysql".
shell>ls -l /var/lib/mysql
In addition, ensure that only the user "mysql" and "root" have access to the directory /var/lib/mysql. The mysql binaries, which reside under the /usr/bin/ directory, should be owned by "root" or the specific system "mysql" user. Other users should not have write access to these files.
shell>ls -l /usr/bin/my*
Tip 7:Lower Database Privileges
some user ids are used to access the data, such as the user id assigned to the web server to execute "select\update\insert\delete" queries and to execute stored procedures. In most cases, no other users are necessary; however, only you, as a system administrator can really know your application’s needs. Only administrator accounts need to be granted the SUPER / PROCESS /FILE privileges and access to the mysql database. Usually, it is a good idea to lower the administrator’s permissions for accessing the data. Review the privileges of the rest of the users and ensure that these are set appropriately. This can be done using the following steps.
mysql> use mysql; [Identify users]
mysql> select * from users; [List grants of all users]
mysql> show grants for ‘root’@’localhost’;
disable the usage of the "SHOW DATABASES" command, the following parameter should be added in the [mysqld] section of the /etc/mysql/my.cnf:
[mysqld]
skip-show-database
Tip 8:Enabling Logging
enable transaction logging, by adding the following line to [mysqld] section of the /etc/mysql/my.cnf file:
[mysqld]
log =/var/log/mysql-logfile
Tip 9:Chroot Mysql
soon i ll post how to jail mysql in ubuntu.
Tip 10:Security Feature in Mysql
Cryptographic functions – AES_ENCRYPT(), AES_DESCRYPT(), DES_ENCRYPT(), DES_DECRYPT()… – Encrypting is not safe as secrets are logged by MySQL in open text: • Process list, InnoDB status, general log, error log, binary log, slow log. – Avoid doing encryption in MySQL.
Tip 11:Connection encryption
- Everything flows over network in open text.
- Needs certificates
- free self-signed ones are usually good too!
- Enabled with these options: ssl-ca, ssl-cert, ssl-key
- Clients have to ask for encryption!
- User access restrictions based on SSL
Examples:
- GRANT … FOR ‘sso’@’10.0.5.%’ … REQUIRE SSL
- GRANT … FOR ‘sso’@’10.0.5.%’ … REQUIRE X509
- GRANT … FOR ‘sso’@’10.0.5.%’ … REQUIRE [ISSUER|SUBJECT] '/C=PL/L=Krakow/O=PSCE/CN=Single Sign-On Service‘
Tip 12:Remove History
To remove history of commands executed which are stored in a plain text file follow following procedure:
cat /dev/null > ~/.mysql_history
Comments
Post a Comment