The document outlines an agenda for a presentation on best practices for MySQL security. The agenda includes topics such as security on the operating system level, application security, initial server setup, SSL, access control lists, passwords, connection control, transparent data encryption, the audit plugin, and firewalls/proxies. A brief biography of the presenter is also provided.

1. © 2017 Percona1
Marcelo Altmann
MySQL: Melhores Práticas de Segurança
Senior Support Engineer
Dia da Liberdade do Software - Novo Hamburgo - RS
16/09/2017

2. © 2017 Percona2
Agenda

3. © 2017 Percona3
Agenda
▪ Intro
▪ Segurança no SO
▪ Segurança na aplicação
▪ Setup Inicial
▪ SSL
▪ ACL
▪ Passwords
▪ Connection Control
▪ TDE
▪Audit Plugin
▪Proxy / Firewall

4. © 2017 Percona4
Sobre Mim

5. © 2017 Percona5
Marcelo Altmann
▪Engenheiro de Suporte Senior @ percona
• MySQL DBA @ IEDR (CCTLD Irlanda)
▪Oracle ACE Associate
▪Certificaçoes
•Oracle Certified Professional, MySQL 5.6 Database Administrator
•Oracle Certified Professional, MySQL 5.6 Developer
•Oracle Certified Professional, MySQL 5 Database Administrator
•Oracle Certified Professional, MySQL 5 Developer
•Oracle Certified Associate, MySQL 5.0/5.1/5.5
▪blog.marceloaltmann.com

6. © 2017 Percona6
Intro

7. © 2017 Percona7
Intro
▪ Se eles querem os teus dados, eles vão ter. Tudo é uma questão de tempo,
recursos, dinheiro e empenho
▪ ELES - Hackers, Competidores, Ex-funcinários, NSA.
▪ Segurança tem um preço
•Dinheiro
•Performance
•Usabilidade

8. © 2017 Percona8
Intro - principios básicos
▪ Bloqueio por padrão
▪ Mínimo acesso possível
▪ Minimizar possibilidades
▪ Isolar
▪ Auditar

9. © 2017 Percona9
Segurança no SO

10. © 2017 Percona10
Segurança no SO
▪ Desinstalar serviços não utilizados
▪ Não rode compiladores
▪ Firewall - De preferencia externo
▪Desligar outbound para internet
▪Mater o sistema sempre atualizado
▪Adicionar KEY no SSH
▪Não habilitar root logar remoto

11. © 2017 Percona11
Segurança no SO
▪SELinux
•grep mysqld /var/log/audit/audit.log | grep denied
▪yum install policycoreutils-python
•grep mysqld /var/log/audit/audit.log | audit2allow
•grep mysqld /var/log/audit/audit.log | audit2why

12. © 2017 Percona12
Segurança no SO
▪Alterar datadir
•chcon -R -t mysqld_db_t /mysql/
•semanage fcontext -a -t mysqld_db_t "/mysql(/.*)?"
•restorecon -Rv /mysql/
▪Alterar porta
•semanage port -a -t mysqld_port_t -p tcp 3307

13. © 2017 Percona13
Segurança na aplicação

14. © 2017 Percona14
Segurança na aplicação
▪Validar todos inputs
▪Não estorne informações (recuperar senha / login)
▪Não conecte como root.
▪Cada app deve ter seu usuário
▪Criptografe informações sensitivas
•AES_ENCRYPT() e AES_DECRYPT()
•SHA1() e MD5()

15. © 2017 Percona15
Segurança na aplicação
▪SQL Injection
•$query = “SELECT * FROM users WHERE name = ‘“ . $name .”’”
•$name = marcelo’ OR ‘a’=’a
•SELECT * FROM users WHERE name = ‘marcelo’ OR ‘a’=’a’;
▪Prepared Statements
•$stm = $db->prepare(“SELECT * FROM users WHERE name = ?”)
•$stm->bind_param(“s”, $name)
•$stm->execute()

16. © 2017 Percona16
Setup inicial

17. © 2017 Percona17
Setup inicial
▪Conta anônima e test database
▪Conectar sem usuário/senha
▪Todos os privilégios no banco test

18. © 2017 Percona18
Setup inicial
mysql> CREATE TABLE tb1 ( ID INT AUTO_INCREMENT PRIMARY KEY,
a bigint);
Query OK, 0 rows affected (0.05 sec)
mysql> INSERT INTO tb1 VALUES (NULL, RAND(99999));
mysql> INSERT INTO tb1 SELECT NULL, RAND(99999) FROM tb1;
mysql> INSERT INTO tb1 SELECT NULL, RAND(99999) FROM tb1;
mysql> INSERT INTO tb1 SELECT NULL, RAND(99999) FROM tb1;
mysql> INSERT INTO tb1 SELECT NULL, RAND(99999) FROM tb1;
mysql> INSERT INTO tb1 SELECT NULL, RAND(99999) FROM tb1;

19. © 2017 Percona19
Setup inicial
▪Conta anônima / uso de memória
mysql> use information_schema;
mysql> SELECT * FROM COLLATIONS a, COLLATIONS b, COLLATIONS
c, COLLATIONS d, COLLATIONS e, COLLATIONS f, COLLATIONS g;
Killed
> dmesg
[ 7392.378967] Out of memory: Kill process 30278 (mysql) score 702 or
sacrifice child
[ 7392.380223] Killed process 30278 (mysql) total-vm:1662332kB, anon-
rss:424576kB, file-rss:0kB, shmem-rss:0kB

20. © 2017 Percona20
Setup inicial
▪mysql_secure_installation
•DROP DATABASE test;
•DROP USER ''@'localhost';
•DROP USER ''@'HOSTNAME';
• SET PASSWORD FOR root@IP

21. © 2017 Percona21
SSL

22. © 2017 Percona22
SSL
▪Por padrão informações trafegam abertas
▪SSL criptografa os dados trafegados
▪Padrão 5.7
▪Gerar certificados
•5.7 - mysql_ssl_rsa_setup
•5.6 - openssl - https://goo.gl/5T7zqF

23. © 2017 Percona23
SSL
▪Instalação
[mysqld]
ssl-ca=ca.pem
ssl-cert=server-cert.pem
ssl-key=server-key.pem
▪Conectar
mysql --ssl-ca=ca.pem
--ssl-cert=client-cert.pem
--ssl-key=client-key.pem

24. © 2017 Percona24
SSL
▪Forcar usuário a usar SSL
CREATE USER 'marcelo'@'localhost' REQUIRE SSL;
▪Forçar todos os usuários a usarem uma conexão segura
•Socket / namedpipe
•SSL
[mysqld]
require_secure_transport

25. © 2017 Percona25
ACL

26. © 2017 Percona26
ACL
▪GRANT [privilégio] ON [banco].[tabela] TO [usuario]@[host]
•GRANT SELECT(campo) ON [banco].[tabela] TO [usuario]@[host]
▪Não adicione GRANT ALL ON *.*
▪Nao adicione % como host
▪Limite os usuários com WITH GRANT OPTION
▪Cuidado com SUPER e PROCESS
•SUPER - max_allowed_connections + 1
•PROCESS - SHOW PROCESSLIST

27. © 2017 Percona27
Passwords

28. © 2017 Percona28
Password
▪Crie passwords fortes
•Letras Maiusculas e Minusculas
•Mínimo de 8 characters
•Possuir dígitos
•Possuir acentos
• Não utilize “dictionary” passwords

29. © 2017 Percona29
Password
▪Password Validation Plugin 5.6+
[mysqld]
plugin-load-add=validate_password.so
validate-password=FORCE_PLUS_PERMANENT
▪validate_password_length (Default 8)
▪validate_password_mixed_case_count (Default 1)
▪validate_password_number_count (Default 1)
▪validate_password_special_char_count (Default 1)
▪validate_password_dictionary_file
▪validate_password_policy (Default 1)

30. © 2017 Percona30
Password
▪Mysql_native_password
▪Hash de 41 characters
▪Mesmo hash todos mysql
▪Pode ser hackeado via Rainbow table
▪Hash é enviado aberto pela rede

31. © 2017 Percona31
Password
▪Sha256_password (built-in 5.6+)
▪Hash é calculado com um salt
▪Mesmo password gera um hash diferente toda vez
▪Password é enviado ou por SSL ou criptografado(RSA)

32. © 2017 Percona32
Password
▪Configurar
cd /var/lib/mysql
openssl genrsa -out private_key.pem 2048
openssl rsa -in private_key.pem
-pubout -out public_key.pem
chmod 400 private_key.pem;
chmod 444 public_key.pem

33. © 2017 Percona33
Password
▪Reiniciar MySQL
SHOW STATUS LIKE 'Rsa_public_key'G
*************************** 1. row ***************************
Variable_name: Rsa_public_key
Value: -----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt3ioXKWcNMUfBmHrc4JC
WxXBhi/c+UXXRlV5lZcq2rr2fDIRPNhJy/ctOKvVSW99MF2Y92TUlxNN8WK9J96P
X1UjGM3zRuqpd9DH70yYIzte50HHQQ0KYSRdNIiGxXIT4t80bqC3dIZdlRfEiUk5
swJcREzIy96W5ewmhiaOnIh/WPAKKS+a9GgPj+Gb0BDRewLaROiRaZkq1d7yGbJ3
xxUvGHSDChOjF1a5ZOX+4ATBfhhJ8VBrCHG6aXZLuTTk46XAbylB9XDOG4+kKTcT
jbUUY41XcXonKAMthhJWoZU406Tahnntof6AO/ZF5BQXv34pv7eBNSLy50cF7cTw
VQIDAQAB
-----END PUBLIC KEY-----

34. © 2017 Percona34
Password
▪Criar usuario
CREATE USER 'sha256user'@'localhost' IDENTIFIED WITH
sha256_password;
SET old_passwords = 2;
SET PASSWORD FOR 'sha256user'@'localhost' =
PASSWORD('Sh@256Pa33');

35. © 2017 Percona35
Password
▪Forçar usuário a trocar password
•MySQL 5.6
ALTER USER 'myuser'@'localhost' PASSWORD EXPIRE;
•MySQL 5.7
[mysqld]
default_password_lifetime=180
CREATE USER 'myuser'@'localhost' PASSWORD EXPIRE INTERVAL 90 DAY;

36. © 2017 Percona36
Password
mysql> SELECT 1;
ERROR 1820 (HY000): You must SET PASSWORD before executing
this statement
mysql> ALTER USER USER() IDENTIFIED BY 'new_password';
Query OK, 0 rows affected (0.01 sec)
mysql> SELECT 1;
+---+
| 1 |
+---+
| 1 |
+---+
1 row in set (0.00 sec)

37. © 2017 Percona37
Connection Control

38. © 2017 Percona38
Connection Control
▪MySQL 5.7.17+
▪Adicionar delay na autenticação após X erros
▪Instalação
[mysqld]
plugin-load-add=connection_control.so
INSTALL PLUGIN CONNECTION_CONTROL SONAME 'connection_control.so';
INSTALL PLUGIN CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS SONAME
'connection_control.so';

39. © 2017 Percona39
Connection Control
▪Connection_control_failed_connections_threshold
▪Connection_control_min_connection_delay
▪Connection_control_max_connection_delay

40. © 2017 Percona40
Connection Control
time mysql -u msandbox -pmsandbox2 -P 57182 --protocol=TCP
ERROR 1045 (28000): Access denied for user 'msandbox'@'localhost' (using password: YES)
real 0m0.014s
user 0m0.007s
sys 0m0.006s
time mysql -u msandbox -pmsandbox2 -P 57182 --protocol=TCP
ERROR 1045 (28000): Access denied for user 'msandbox'@'localhost' (using password: YES)
real 0m0.014s
user 0m0.004s
sys 0m0.009s
time mysql -u msandbox -pmsandbox2 -P 57182 --protocol=TCP
ERROR 1045 (28000): Access denied for user 'msandbox'@'localhost' (using password: YES)
real 0m1.513s
user 0m0.009s
sys 0m0.004s

41. © 2017 Percona41
TDE - Transparent Data Encryption

42. © 2017 Percona42
TDE
▪InnoDB MySQL 5.7
▪Criptografa os dados armazenados no disco
▪Cada tabela tem sua própria chave
▪Chave da tabela é armazenada no header do arquivo
▪Instalação
[mysqld]
early-plugin-load=keyring_file.so
keyring_file_data=/usr/local/mysql/mysql-keyring/keyring

43. © 2017 Percona43
TDE
▪Verificar se o plugin está instalado
mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS
WHERE PLUGIN_NAME LIKE 'keyring%';
+--------------+---------------+
| PLUGIN_NAME | PLUGIN_STATUS |
+--------------+---------------+
| keyring_file | ACTIVE |
+--------------+---------------+

44. © 2017 Percona44
TDE
▪Criptografar tabelas
mysql> CREATE TABLE t1 (c1 INT) ENCRYPTION='Y';
mysql> ALTER TABLE t1 ENCRYPTION='Y';

45. © 2017 Percona45
Audit Plugin

46. © 2017 Percona46
Audit Plugin
▪MySQL Enterprise - Pago
▪Macfee - Grátis
▪Percona Server - Grátis
▪Loga atividades do banco de dados
▪Diferente do general log
▪Filtros por command / usuário / banco

47. © 2017 Percona47
Audit Plugin
▪Formatos - OLD
<AUDIT_RECORD
"NAME"="Query"
"RECORD"="2_2014-04-28T09:29:40"
"TIMESTAMP"="2014-04-28T09:29:40 UTC"
"COMMAND_CLASS"="install_plugin"
"CONNECTION_ID"="47"
"STATUS"="0"
"SQLTEXT"="INSTALL PLUGIN audit_log SONAME 'audit_log.so'"
"USER"="root[root] @ localhost []"
"HOST"="localhost"
"OS_USER"=""
"IP"="" />

48. © 2017 Percona48
Audit Plugin
▪Formatos - New
<AUDIT_RECORD>
<NAME>Quit</NAME>
<RECORD>10902_2014-04-28T11:02:54</RECORD>
<TIMESTAMP>2014-04-28T11:02:59 UTC</TIMESTAMP>
<CONNECTION_ID>36</CONNECTION_ID>
<STATUS>0</STATUS>
<USER></USER>
<PRIV_USER></PRIV_USER>
<OS_LOGIN></OS_LOGIN>
<PROXY_USER></PROXY_USER>
<HOST></HOST>
<IP></IP>
<DB></DB>
</AUDIT_RECORD>

49. © 2017 Percona49
Audit Plugin
▪Formatos - JSON
{
"audit_record":{
"name":"Query",
"record":"4707_2014-08-27T10:43:52",
"timestamp":"2014-08-27T10:44:19 UTC",
"command_class":"show_databases",
"connection_id":"37",
"status":0,
"sqltext":"show databases",
"user":"root[root] @ localhost []",
"host":"localhost",
"os_user":"",
"ip":""
}
}

50. © 2017 Percona50
Audit Plugin
▪Formatos - CSV
"Query","49284_2014-08-27T10:47:11","2014-08-
27T10:47:23 UTC","show_databases","37",0,"show
databases","root[root] @ localhost
[]","localhost","",""

51. © 2017 Percona51
Audit Plugin
▪Mysqlauditgrep - buscar informações nos logs
▪Data
▪Tipo de evento
▪Usuário

52. © 2017 Percona52
Firewall

53. © 2017 Percona53
Firewall
▪MySQL Enterprise Firewall - Pago
▪ProxySQL - Grátis
▪https://goo.gl/n4VZzH

54. © 2017 Percona54
Firewall
▪Bloquear queries - SQL INJECTION!
•Original query: SELECT Name FROM world.city WHERE Name = ‘?’
•SQL Injection: ? = São Paulo' OR ID > 0; --
•SELECT Name FROM world.city WHERE Name = 'São Paulo' OR ID > 0; --'
Admin> SELECT username, digest, digest_text FROM stats_mysql_query_digest WHERE digest_text LIKE '% OR ID %'
ORDER BY first_seen DESC LIMIT 1;
+-------------+--------------------+------------------------------------------------------+
| username | digest | digest_text |
+-------------+--------------------+------------------------------------------------------+
| application | 0xD8AF41BF32707ABD | SELECT Name FROM world.city WHERE Name = ? OR ID > ? |
+-------------+--------------------+------------------------------------------------------+
1 row in set (0.00 sec)

55. © 2017 Percona55
Firewall
Admin> INSERT INTO mysql_query_rules (rule_id, active, digest, error_msg, apply) VALUES
(4,1,'0xD8AF41BF32707ABD','Suspeita de SQL Injection',1);
Query OK, 1 row affected (0.00 sec)
[root@localhost ~]# mysql -u application -papp -e "SELECT Name FROM world.city WHERE Name
= 'São Paulo' OR ID > 0; --' "
ERROR 1148 (42000) at line 1: Suspeita de SQL Injection

56. © 2017 Percona56
Perguntas?

57. DATABASE PERFORMANCE
MATTERS
Database Performance MattersDatabase Performance MattersDatabase Performance MattersDatabase Performance MattersDatabase Performance Matters
Obrigado!