bgoug 2014 decrease your mysql attack surface

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Decrease YourMySQLAttack Surface

Georgi “Joro” KodinovTeam LeadMySQL Server General Team

Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

2

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 3

Goal: Make You Think About Security !


Agenda

4

What is “Attack Surface” ?

Why is it important to minimize it ?

Ways to decrease the attack surface

Further reading



5


“The attack surface of a software environment is the sum of the different points where an unauthorized user can try to enter data to or extract datafrom an environment.”– Wikipedia

6



• It’s a property of the whole environment

– database, web server, application, network

• Covers entering AND extracting data

– Data are precious commodity

• Is exploited by unauthorized users– That includes not-sufficiently-authorized too !

7

Takeaway Points


Why is it Important to Minimizethe Attack Surface ?

8


It is FRIGHTENINGLY EASY to find and exploit weaknesses !


Even Safer Harbor Statement !

• This information is for demonstration only

• It does not necessarily correspond to any actual live sites

• You should use this information only to assess the defenses of your owninstallations

• Never use the techniques displayed for any unauthorized access !

• Be very careful and double-check all tools you get from 3d parties before using them !

10


• 22165 wide open MySQL servers available on the Net

• Root passwords where applicable

• Most are probably vulnerable to manipulating the underlying OS too

• Some of these are pretty recent finds too

• All of that on a free, open web site

11

Finding You on the Net


• All it needs to start is login access

• Can work its way in through SQL injection too

• Can automatically test password hashes against dictionary tables

• Can retrieve OS files through the database

• Can store the password hashes for later offline cracking

• Can inject UDF shared objects into the database

• “wizard” mode for “novice users”

• Free and open source tool

12

And Going On Is Just As Easy …


All that from using web search for few hours !


Imagine the outcome if I was a professional !


… or even up to no good !


Dolphins can kill sharkswhen working together !

16


Ways to Decrease the Attack Surface

17


Always Be Up-to-date !

• It’s a race !

• 10 CVE reports addressed in the latest 5.6 MySQL Critical Patch Upgrade

• Oracle provides a yum/apt repository

– http://dev.mysql.com/downloads/repo/

18



Remove the stuff you don’t need

• Run mysql_secure_installation. Now !

• Review and restrict the network interfaces that the server listens on

• Generate SSL keys and make sure the server can “talk” SSL

• Remove extra user accounts and privileges

• Remove unneeded files and packages

19



Have a Backup Plan

• Schedule regular backups

• Backup data, logs, and configuration

• If your data are important, make backups of backups

• Perform regular emergency drills

20



Be Vigilant: Monitor, Audit, Log, Observe

• Consider enabling query logging. Create a log backup policy.

• Audit the server configuration for changes. Revert the bogus ones

• Monitor your server logs. Set alerts for “unusual” patterns.

• Monitor security related stats. Set alerts for “unusual” patterns.

• Regularly probe your “defenses” by trying bad things on purpose

• Consider using Enterprise Audit

21



Take Control of Your User Accounts

• Set passwords complexity standards

• Rotate your passwords

• Pick the right authentication method for your accounts

• Audit changes to user account security

• Avoid storing passwords in your scripts

• Consider using Enterprise Authentication

22



Useful Parameters

Parameter Recommended Value

secure_file_priv Designated directory

symbolic_links Boolean NO

default-storage-engine InnoDB

general-log Boolean ON

log-raw Default : OFF

skip-networking ON, if you can afford it.

SSL options Set to valid values


Useful Parameters

Parameter Recommended Value

plugin-dir Designated read-only directory

chroot Designated directory, if you can afford it

core-file OFF

des-key-file File with DES keys

read_only ON for slaves !

sha256_password RSA key RSA public private keys if can’t use SSL

tmpdir Designated directory out of secure-file-priv


Questions and Answers

25

bgoug 2014 decrease your mysql attack surface

Technology

oracle andor

sole discretion of oracle

minimizethe attack surface

password hashes

web server

open web site11finding

unauthorized access

unauthorized usersthat