Date post: | 14-Jul-2015 |
Category: |
Technology |
Upload: | georgi-kodinov |
View: | 276 times |
Download: | 2 times |
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Decrease YourMySQLAttack Surface
Georgi “Joro” KodinovTeam LeadMySQL Server General Team
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
2
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 3
Goal: Make You Think About Security !
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Agenda
4
What is “Attack Surface” ?
Why is it important to minimize it ?
Ways to decrease the attack surface
Further reading
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
“The attack surface of a software environment is the sum of the different points where an unauthorized user can try to enter data to or extract datafrom an environment.”– Wikipedia
6
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
What is “Attack Surface” ?
• It’s a property of the whole environment
– database, web server, application, network
• Covers entering AND extracting data
– Data are precious commodity
• Is exploited by unauthorized users– That includes not-sufficiently-authorized too !
7
Takeaway Points
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Why is it Important to Minimizethe Attack Surface ?
8
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 9
It is FRIGHTENINGLY EASY to find and exploit weaknesses !
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Even Safer Harbor Statement !
• This information is for demonstration only
• It does not necessarily correspond to any actual live sites
• You should use this information only to assess the defenses of your owninstallations
• Never use the techniques displayed for any unauthorized access !
• Be very careful and double-check all tools you get from 3d parties before using them !
10
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
• 22165 wide open MySQL servers available on the Net
• Root passwords where applicable
• Most are probably vulnerable to manipulating the underlying OS too
• Some of these are pretty recent finds too
• All of that on a free, open web site
11
Finding You on the Net
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
• All it needs to start is login access
• Can work its way in through SQL injection too
• Can automatically test password hashes against dictionary tables
• Can retrieve OS files through the database
• Can store the password hashes for later offline cracking
• Can inject UDF shared objects into the database
• “wizard” mode for “novice users”
• Free and open source tool
12
And Going On Is Just As Easy …
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 13
All that from using web search for few hours !
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. 14
Imagine the outcome if I was a professional !
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Dolphins can kill sharkswhen working together !
16
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Ways to Decrease the Attack Surface
17
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Always Be Up-to-date !
• It’s a race !
• 10 CVE reports addressed in the latest 5.6 MySQL Critical Patch Upgrade
• Oracle provides a yum/apt repository
– http://dev.mysql.com/downloads/repo/
18
Ways to decrease the attack surface
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Remove the stuff you don’t need
• Run mysql_secure_installation. Now !
• Review and restrict the network interfaces that the server listens on
• Generate SSL keys and make sure the server can “talk” SSL
• Remove extra user accounts and privileges
• Remove unneeded files and packages
19
Ways to decrease the attack surface
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Have a Backup Plan
• Schedule regular backups
• Backup data, logs, and configuration
• If your data are important, make backups of backups
• Perform regular emergency drills
20
Ways to decrease the attack surface
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Be Vigilant: Monitor, Audit, Log, Observe
• Consider enabling query logging. Create a log backup policy.
• Audit the server configuration for changes. Revert the bogus ones
• Monitor your server logs. Set alerts for “unusual” patterns.
• Monitor security related stats. Set alerts for “unusual” patterns.
• Regularly probe your “defenses” by trying bad things on purpose
• Consider using Enterprise Audit
21
Ways to decrease the attack surface
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Take Control of Your User Accounts
• Set passwords complexity standards
• Rotate your passwords
• Pick the right authentication method for your accounts
• Audit changes to user account security
• Avoid storing passwords in your scripts
• Consider using Enterprise Authentication
22
Ways to decrease the attack surface
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Useful Parameters
Parameter Recommended Value
secure_file_priv Designated directory
symbolic_links Boolean NO
default-storage-engine InnoDB
general-log Boolean ON
log-raw Default : OFF
skip-networking ON, if you can afford it.
SSL options Set to valid values
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.
Useful Parameters
Parameter Recommended Value
plugin-dir Designated read-only directory
chroot Designated directory, if you can afford it
core-file OFF
des-key-file File with DES keys
read_only ON for slaves !
sha256_password RSA key RSA public private keys if can’t use SSL
tmpdir Designated directory out of secure-file-priv