 | |
|
Technology news and Jobs 
The Linux distillery The dark side of open source: Hacking MySQL
The Linux distillery The dark side of open source: Hacking MySQL | The dark side of open source: Hacking MySQL |
|
|
| by David M Williams | |
| Sunday, 10 February 2008 | |
|
Page 3 of 3 An example of how the MySQL source code unveiled a fault is a paper by security from Core Security which describes weaknesses in the MySQL authentication mechanism prior to version 4. This paper is dated January 24 2002, so much of what it says is not applicable to brand new installations of MySQL – but it is still very relevant to any site running version 3.x. Fundamentally, prior to 4.1, MySQL required a password hash to authenticate but not the actual password; this meant that you had to work out a hash value which was purely a computational problem. Indeed, if you could take advantage of LOAD_FILE as above you could simply dump out the hashes anyway.Make sure you have a firewall installed like iptables. Also, run MySQL under its own low-privileged user account. As with most things Windows, the Windows installation of MySQL runs as the local system user by default. This should be changed straightaway. Even on a Linux platform you’re not guaranteed of safety; if MySQL is running with user credentials shared by another service – for example, the ‘nobody’ user as often used by Apache – then you still have a sub-optimal situation. If Apache is exploited then MySQL is similarly at risk because it runs under the same user account. Run MySQL with its --chroot option. This effectively locks it to only its own directory structure and nothing higher. Even if the database system is compromised, your higher-up operating system files cannot be read or written to. Be sure to turn off unnecessary services; this reduces the attack space on your box. Make sure your .mysql_history file is clear. By default this logs queries you’ve directly typed into the MySQL command line interface. This should be regularly cleared out. If it can be viewed by a malicious person it will reveal critical information about the databases and tables and users hosted by the server. Set a strong password for the root@localhost user and remove all other non-users that are not required. There shouldn’t be any user accounts which do not have a clear and definite purpose. Ensure the remaining users are restricted by IP address as well as passwords. If at all possible don’t allow remote connections. If you really must, specify REQUIRE SSL so that SSL encryption is necessary. If you don’t need remote connections, go further and disable TCP/IP connections entirely via the --skip-networking option. Routinely check the MySQL log file and the error log file. Also, periodically run SELECT user, host FROM mysql.user; Open source software can give you immense peace of mind. However, it can also give the bad guys an advantage too. Don’t let this dissuade you; just be sure to keep security forefront in your mind and you’ll have a successful installation.
Get stories like this delivered daily - FREE - subscribe now
|
Tags
| < Next story in category | Previous story in the category > |
|---|
