2014 OpenSuse Conf: Protect your MySQL Server

514
-1

Published on

Dos and Don'ts of secure MySQL deployment

Published in: Software, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
514
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

2014 OpenSuse Conf: Protect your MySQL Server

  1. 1. Protect Your Server Dos and Don’ts of secure MySQL Deployment.
  2. 2. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.2 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  3. 3. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.3 Agenda  The post-install situation  How to harden it ?  More security  Security related changes in MySQL 5.7
  4. 4. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.4 • Former banking IT Manager • Veteran software developer • Leading the MySQL Server General development team • Been with MySQL since 2006 • Regular MySQL conference speaker About Me
  5. 5. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.5 The Post-Install Situation : MySQL Server security in OpenSuse 13.1
  6. 6. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.6 The Good News
  7. 7. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.7 MySQL 5.6.12 The Good News  Only 5 MRUs away from dev.mysql.com/downloads ! – New authentication method sha256_password – Manual password expiration : ALTER USER EXPIRE – Password strength verification plugin and API – Login paths – Support SSL CRLs and key files with pass phrases – Use SSL library’s random generator – Obfuscate passwords in logs
  8. 8. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.8 Installation Layout  MySQL server service not on by default  Separate mysql-community-server-test rpm  Separate mysql-community-server-tools rpm  No pre-packaged database  No remote access by default The Good News
  9. 9. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.9 The Not So Good News
  10. 10. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.10 MySQL 5.6.12  3 CPUs and 24 CVE reported security bugs away from 5.6.15 (last CVE)  More than 500 other bugs away from 5.6.18 (current)  Lacks the advanced AES function modes The Not So Good News
  11. 11. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.11 Installation layout  mysql_secure_installation not run – Anybody can connect as root – Anonymous access to the server allowed – No password strength checks – Empty passwords for the default accounts – Anybody gets full access to the test database  mysql_config_editor not in mysql-community-server-client The Not So Good News
  12. 12. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.12 Installation layout. Continued.  Federated plugin installed by default  Archive plugin actually not needed (error on startup)  Some testing only authentication plugins installed by mysql- community-server  No SSL certificates. Even self-signed ones  secure_file_priv set to NULL – grants SQL read and write access to the full OS file system The Not So Good News
  13. 13. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.13 Installation layout. The Sequel.  sha256_password plugin under-configured: no RSA keys  No query logging: neither audit nor query log  mysqld listens on all network interfaces The Not So Good News
  14. 14. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.14 Random (Not So) Funny Story Recognize the pattern ? New Code
  15. 15. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.15 WHAT YOU GET IS A DEVELOPMENT INSTALLATION !
  16. 16. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.16 How to Harden Your MySQL installation ?
  17. 17. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.17 Post Server Installation  Run mysql_secure_installation ! Now !  Review and restrict the network interfaces that the server listens on  Generate SSL keys and make sure the server can “talk” SSL  Enable query logging. Create a log backup policy.  Remove extra user accounts and privileges  Remove unneeded files and packages  Schedule regular backups ! Hardening your MySQL installation
  18. 18. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.18 Post Application(s) Installation  Remove extra user accounts. Restrict the remaining ones  Review and maximally restrict the grants  Make sure the user accounts authenticate using a reliable method  Clean up extra temp files  Make sure backups are still on and cover the new objects  Remove unneeded files and packages  Audit the server configuration for changes. Revert the bogus ones Hardening your MySQL installation
  19. 19. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.19 Daily MySQL Use  Keep your installation up to date  Monitor your server logs. Set alerts for “unusual” patterns.  Monitor security related stats. Set alerts for “unusual” patterns.  Monitor the server configuration.  Monitor and verify the backups and their integrity  Regularly probe your “defenses” by trying bad things on purpose  Perform regular emergency drills  Set procedures on maintaining your user account base Hardening your MySQL installation
  20. 20. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.20 More Security
  21. 21. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.21 Harden your MySQL Server Instance  Consider turning off TCP/IP if your setup allows it  Use and enforce SSL if you need TCP/IP – Even self-signed will do. Part of PKI is better  Use SSL certificate requirements for users – GRANT … TO …. REQUIRE [CIPHER | ISSUER | SUBJECT] …  Be careful with your directories – tmpdir, datadir, secure-file-priv, plugin-dir Additional steps
  22. 22. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.22 Harden your MySQL Server Instance  Monitor and keep the logs – Consider using an auditing plugin – put extra protection on sensitive tables: custom logging triggers etc  Consider using external authentication – PAM, LDAP, windows domain  Harden your password policy – MySQL has a plugin for that !  Use login paths for your scripts Even more steps
  23. 23. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.23 Harden your MySQL Server Instance Parameter Recommended Value secure_file_priv Designated directory symbolic_links Boolean NO default-storage-engine InnoDB general-log Boolean ON log-raw Default : OFF skip-networking ON, if you can afford it. ssl options Set to valid values Useful parameters to set
  24. 24. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.24 Harden your MySQL Server Instance Parameter Recommended Value plugin-dir Designated read-only directory chroot Designated directory, if you can afford it core-file OFF des-key-file File with DES keys read_only ON for slaves ! sha256_password RSA key RSA public private keys if can’t use SSL tmpdir Designated directory out of secure-file-priv Useful parameters to set
  25. 25. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.25 New Security Features in MySQL 5.7 DMRs
  26. 26. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.26 Security Features in 5.7 DMRs  Audit log plugin works with Audit Vault  Login paths and mysql_config_editor  --syslog option to mysql  Mark mysql_old_password (pre- 4.1 password format) as deprecated 5.7.1: 23 April 2013
  27. 27. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.27 Security Features in 5.7 DMRs  Require explicit authentication plugin for all user accounts  Rewrite mysql_secure_installation to C and harden it – Enables password strength validation – Generates random password for root and marks it as expired – Restricts the root user so it can login only from localhost  Deprecate ENCODE()/DECODE()  --error-log-verbosity control  Client side protocol tracing plugins in libmysql 5.7.2: 21 Sep 2013
  28. 28. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.28 Security Features in 5.7 DMRs  Redefine the meaning of the –ssl option – --ssl on the client enforces SSL now – Other –ssl options enable ssl, but not enforce it  Proper connection state reset : mysql_reset_connection() 5.7.3: 3 Dec 2013
  29. 29. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.29 Security Features in 5.7 DMRs  RPM packages secure by default – The effect of mysql_secure_installation by default – Separate packages for non-essential tools and utilities  Automatic timed password expiration – Per site and per user  AES_ENCRYPT()/AES_DECRYPT() now support block modes and larger key sizes  Strong crypto random SQL function added: RANDOM_BYTES() 5.7.4: 31 Mar 2014
  30. 30. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.30 Questions ? Suggestions ?
  31. 31. Copyright © 2014, Oracle and/or its affiliates. All rights reserved.31
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×