Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing the stack With a prime focus on securing your database Colin Charles, Community Relations Manager, MySQL AB |

Published byHector Thompson Modified over 8 years ago

Similar presentations

Presentation on theme: "Securing the stack With a prime focus on securing your database Colin Charles, Community Relations Manager, MySQL AB |"— Presentation transcript:

1 Securing the stack With a prime focus on securing your database Colin Charles, Community Relations Manager, MySQL AB colin@mysql.comcolin@mysql.com | http://bytebot.net/blog/http://bytebot.net/blog/

2 2 Who am I? Community Relations Manager, MySQL Distribution Ombudsman Community Engineering Summer of Code Forge Dude Generalised Dolphin Wrangler Previously: Fedora Project FESCO and PowerPC hacker OpenOffice.org contributor

3 3 General thoughts on security Physical security Can I access the console? Software security Accept that you will get broken into

4 4 Security 101 Prevent access nologin, scponly, etc. Patch software, always Use sensible operating systems SELinux can be your friend Jails, virtual machines and separation of services A firewall is definitely your friend Do you read your log files daily?

5 5 Security through obscurity? Disabling logins on Wordpress, MediaWiki SSH Automated attack scripts, everywhere Run SSH on a different port PermitRootLogin no Ubuntu goes as far as disabling the root user – everything done via sudo Ensure only those in a certain group (wheel, maybe) can sudo

6 6 What is a database? Collection of records in a structured form A DBMS usually means: Storage Retrieval Processing Security? Integrity of data? Remember: information received from one record, can damage information in another

7 7 Information received in one record, damaging another http://xkcd.com/327/

8 8 SQL injection User input incorrectly filtered for string literal escape characters embedded in SQL statement User input not strongly typed, unexpectedly executed $sql = “SELECT * FROM users WHERE id = ” +number+ “;” Input: 256;DROP TABLE users; Parsed as: SELECT * FROM users WHERE id=256;DROP TABLE users;

9 9 Never trust your user-entered data If using PHP/MySQL, your best bet is to use: mysql_real_escape_string() http://dev.mysql.com/doc/refman/5.0/en/mysql-real-escape-string.html ext/mysqli supports prepared statements, improved authentication protocol (5.0 and greater) Java: PreparedStatement, Ruby: quote() Protecting string data is a common thought, but remember that numeric data values need to be checked for sanity too!

10 10 Mastering the GRANT system Your MySQL server does have a password, right? mysql -uroot ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO) SHOW GRANTS; GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY PASSWORD '5ds432bf13g3k274' WITH GRANT OPTION

11 11 Securing MySQL further REVOKE privileges as necessary Limit SHOW DATABASES access Plain-text passwords (default in Debian/Ubuntu = bad) are silly Use MD5() or SHA1() MySQL runs on port 3306 telnet hostname 3306 Ensure that port 3306 is not accessible remotely (hello firewall!)

12 12 Remember, not trusting user input? SQL injection, cross-site scripting, it happens to the best of us Script the following: Enter ', “ to all input in web forms. Errors? Fix it %22 (“), %23 (#), %27 (') in dynamic URLs Characters, spaces, special symbols in fields Application should connect to database using a special, unprivileged (restricted) account

13 13 Delving into securing MySQL FILE privileges shouldn't be given SELECT... INTO OUTFILE – for security, it doesn't overwrite an existing file LOAD DATA – can load say, /etc/passwd, and be accessed via SELECT (bad) max_user_connections – set it sensibly (you'll need more open connections for scalability, but too many and you get a denial- of-service)

14 14 Some more general thoughts DNS – do not trust it. When GRANTing access, and so on, use 'user'@'ip.address' SSL support is built-in, use it Transmitting plain-text? Check tcpdump -i -l -w src or dst port 3306

15 15 So? You've secured MySQL You've secured Linux Firewall, SELinux, apply patches, sensible OS What do we save for another talk? Apache? What about PHP? (focus on the application) What about other languages?

16 16 Recent war stories Wordpress MU (WPMU) was allowing attackers to change blog content, via the XMLRPC interface Immediately do a database dump Remove XMLRPC support... find, and fix the bug This happened on http://blogs.mysql.com/http://blogs.mysql.com/

17 17 Recent war stories II MySQL Forge Cookies, stolen via JavaScript, could potentially allow an attacker to view MySQL Intranet content! Solution? Searching code must not be susceptible to cracking via JavaScript Cookie separation is important

18 18 So, I've been broken into. Now what? Take a snapshot (hello dd) You do, backup regularly, right? Reinstall, cleanly, restore Why reinstall? Rootkits stay sometime Run forensics through the snapshot Good chance log files disappeared, but they might still be on disk... (image)

19 19 In conclusion Security is about being proactive Security, is largely, also very reactive XSS has been around since 2000, yet modern code 8 years later still has this problem Kernel updates, SELinux, etc. help in most cases, but under 2 weeks ago, we had an interesting root-kit that worked, against all odds

20 20 Getting involved Is security your cup of tea? HeX-LiveCD http://groups.google.com/group/HeX-liveCD OLPC Bitfrost http://wiki.laptop.org/go/Bitfrost Write, contributed, automated tools to scan websites for vulnerabilities

21 21 Resources http://httpd.apache.org/info/css-security/ http://dev.mysql.com/doc/refman/5.0/en/faqs-security.html http://dev.mysql.com/doc/refman/5.0/en/privilege-system.html http://dev.mysql.com/doc/refman/5.0/en/mysql-real-escape- string.html Plenty of books Get an O'Reilly Safari subscription Visit your favourite bookstore (MPH MidValley, Kinokuniya KLCC, Borders all have reading lounges)

22 22 Thanks! Questions? E-mail me: colin@mysql.com Catch me on IRC, at irc.freenode.net, #mysql-dev / #myoss: ccharles

Download ppt "Securing the stack With a prime focus on securing your database Colin Charles, Community Relations Manager, MySQL AB |"

Similar presentations

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
Understand Database Security Concepts

Understand Database Security Concepts
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
Growing with MySQL in Malaysia A Presentation for MAMPU/OSCC September 28, 2007 Colin Charles, Community Relations Manager, APAC

Growing with MySQL in Malaysia A Presentation for MAMPU/OSCC September 28, 2007 Colin Charles, Community Relations Manager, APAC
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Voyager Server Security and Monitoring Best practices and tools.

Voyager Server Security and Monitoring Best practices and tools.
Securing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Securing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
Secure Software Engineering: Input Vulnerabilities

Secure Software Engineering: Input Vulnerabilities
(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.

(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Similar presentations

Ads by Google