MySQL Security
Washington DC, USA
November 8th, 2007
Agenda
 Why is security important?
 Privileges management
 Configuration directives
 MySQL security on the Web
 Next challe...
Who is speaking?
  Damien Séguy
    LAMP expert services at
    NexenServices.com
    'Sécurité PHP 5 et MySQL'
    with P...
Common fears
 Root overtake
 Data erasing
 Denial of service
 Data modification
 Data publication
 Plain shame....
Default privileges
  Root account, no password
    Always ADD A password
    Renaming root to 'chef'?
  Users and test bas...
User table sanity checks
  Anonymous users
    SELECT count(*) FROM users
    WHERE user='';
  Avoid % in addresses
    SE...
The FILE privilege
  Export data to file
  Import data to file
  Import data from the client
The GRANT privilege
  Share your privileges
  Privilege escalation
    Complement by exchanging
    rights with other users
Configuration directives
--skip-grant-tables
--old-password
--secure-auth
--skip-show-databases
Configuration directives (2)
                     --port=3306
                     --skip-networking
                     -...
Configuration directives (3)
  --local-infile=0
  --secure-file-priv
  --chroot
  --open-files-limit
  --safe-user-create
  --...
Client configuration directives
                     --secure-auth
                     --safe-updates
                    ...
Resource consuming
  In the User table
    Max_connections
                           +-----------------------+------+
   ...
SQL injections
  Dynamic build of the SQL query
  $requete = quot;SELECT COUNT(*) FROM users
  WHERE login='quot;.$_GET['l...
Injections patterns
  WHERE clause removal

    WHERE login = '' or 1 or ''
  Subqueries

    WHERE id=(SELECT BENCHMARK(m...
MySQL special chars
  ' and quot; : string delimiters
  () : sub queries
  % and _ : regex with LIKE
  REGEXP
  ; g G : en...
Protecting against injections
Protecting special characters
  with PHP : use mysqli_real_escape_string() AND delimiters

$...
Protections
 Prepared queries
   Prepare the command execution
   Affect variables
   Execute the command
/* Preparing command execution */
$query = quot;INSERT INTO cities (Name, Country, Region)
          VALUES (?,?,?)quot;;
...
Other protections
    Stored procedures

     $sql = quot;CALL my_proc('quot;.$_GET['id'].quot;');

    MySQL variables
  ...
Hidden entrances
  MySQL logs (binary, slow, general)
  SHOW PROCESSLIST
  SHOW CREATE TABLE
  Data folder
  Backup system...
Be prepared
              Delete unused data
              Crypt data
                Passwords,
                writeable...
Database security standards?
  Sarbanes-Oxley, SOX
  Health Insurance Portability and
  Accountability Act (HIPAA)
  Payme...
Common vulnerabilities
1)Insufficient security tests
2)Mediocre configuration
3)No encryption of critical data
4)No update p...
Norme PCI
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaul...
http://www.nexen.net/
                         Thanks
    conferences.php
damien.seguy@nexen.net
Upcoming SlideShare
Loading in …5
×

MySQL server security

4,292 views

Published on

MySQL security is critical to ensure data security. Destruction, falsification or simply unwanted publication are the most serious threat that wait in the dark the first faux-pas of any administrator. During this session, we'll review the common vulnerabilities, the intrusion techniques, MySQL security features, and configurations.

Published in: Business, Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,292
On SlideShare
0
From Embeds
0
Number of Embeds
50
Actions
Shares
0
Downloads
262
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

MySQL server security

  1. 1. MySQL Security Washington DC, USA November 8th, 2007
  2. 2. Agenda Why is security important? Privileges management Configuration directives MySQL security on the Web Next challenge for security
  3. 3. Who is speaking? Damien Séguy LAMP expert services at NexenServices.com 'Sécurité PHP 5 et MySQL' with Philippe Gamache at Eyrolles http://www.nexen.net/
  4. 4. Common fears Root overtake Data erasing Denial of service Data modification Data publication Plain shame....
  5. 5. Default privileges Root account, no password Always ADD A password Renaming root to 'chef'? Users and test bases Users without password Users without IP restrictions Anonymous users
  6. 6. User table sanity checks Anonymous users SELECT count(*) FROM users WHERE user=''; Avoid % in addresses SELECT count(*) FROM users WHERE host LIKE '%%%'; Alwas have a password SELECT count(*) FROM users WHERE password='';
  7. 7. The FILE privilege Export data to file Import data to file Import data from the client
  8. 8. The GRANT privilege Share your privileges Privilege escalation Complement by exchanging rights with other users
  9. 9. Configuration directives --skip-grant-tables --old-password --secure-auth --skip-show-databases
  10. 10. Configuration directives (2) --port=3306 --skip-networking --bind-address --skip-name-resolve --skip-symbolic-links
  11. 11. Configuration directives (3) --local-infile=0 --secure-file-priv --chroot --open-files-limit --safe-user-create --allow-suspicous-udf
  12. 12. Client configuration directives --secure-auth --safe-updates also called : --i-am-a-dummy --select_limit=1000 --max_join_size
  13. 13. Resource consuming In the User table Max_connections +-----------------------+------+ | Field | Null | Max_user_connections +-----------------------+------+ | max_questions | NO | Max_questions | max_updates | NO | | max_connections | NO | | max_user_connections | NO | Max_updates +-----------------------+------+ Inactive by default Valid for an hour
  14. 14. SQL injections Dynamic build of the SQL query $requete = quot;SELECT COUNT(*) FROM users WHERE login='quot;.$_GET['login'].quot;' AND motdepasse='quot;.$_GET['password'].quot;' quot;; Mixing data and instructions It is always possible to escape this quoting, and make the query do other things
  15. 15. Injections patterns WHERE clause removal WHERE login = '' or 1 or '' Subqueries WHERE id=(SELECT BENCHMARK(md5(1),1000)); UNION WHERE id=1 UNION SELECT * FROM table; Multiple insertions VALUES ('login'),('admin');
  16. 16. MySQL special chars ' and quot; : string delimiters () : sub queries % and _ : regex with LIKE REGEXP ; g G : end of command --, # et /* .... */ comment
  17. 17. Protecting against injections Protecting special characters with PHP : use mysqli_real_escape_string() AND delimiters $sql = quot;SELECT * FROM table WHERE id = 'quot; .mysqli_real_escape_string($mid, $_GET['id']). quot;'quot;; The case of integers : force the type before building the query
  18. 18. Protections Prepared queries Prepare the command execution Affect variables Execute the command
  19. 19. /* Preparing command execution */ $query = quot;INSERT INTO cities (Name, Country, Region) VALUES (?,?,?)quot;; $stmt = $mysqli->prepare($query); $val1 = 'Washington'; $val2 = 'USA'; $val3 = 'DC'; $stmt->bind_param(quot;sssquot;, $val1, $val2, $val3); /* Commande execution */ $stmt->execute(); $val1 = 'Montréal'; $val2 = 'CAN'; $val3 = 'Québec'; /* Commande execution */ $stmt->execute(); /* Free resources */ $stmt->close();
  20. 20. Other protections Stored procedures $sql = quot;CALL my_proc('quot;.$_GET['id'].quot;'); MySQL variables Easier to read and secure $sql = quot;SET @id := 'quot;.$_GET['id'].quot;'quot;; mysqli_query($mid, $sql); $sql = quot;SELECT * FROM table WHERE id = @idquot;; mysqli_query($mid, $sql); Injections are still possibles!!, just limited
  21. 21. Hidden entrances MySQL logs (binary, slow, general) SHOW PROCESSLIST SHOW CREATE TABLE Data folder Backup systems (media, fichiers) Replication slaves Clients (history, network comm...)
  22. 22. Be prepared Delete unused data Crypt data Passwords, writeable but not readable Poison your data Audit critical data Back up
  23. 23. Database security standards? Sarbanes-Oxley, SOX Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry Gramm-Leachy Bliley Act SB 1386 BASEL II
  24. 24. Common vulnerabilities 1)Insufficient security tests 2)Mediocre configuration 3)No encryption of critical data 4)No update processus 5)Security is called when a disaster strikes 6)No monitoring 7)Insufficient control over third parties access
  25. 25. Norme PCI 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes 12.Maintain a policy that addresses information security
  26. 26. http://www.nexen.net/ Thanks conferences.php damien.seguy@nexen.net

×