Home |  MySQL Buzz |  FAQ |  Feeds |  Submit your blog feed |  Feedback |  Archive |  Aggregate feed RSS 2.0 English Deutsch Español Français Italiano 日本語 Русский Português 中文
Showing entries 1 to 30 of 243 Next 30 Older Entries

Displaying posts with tag: Security (reset)

MySQL 5.7 user table: password_last_changed & password_lifetime
Employee +1 Vote Up -0Vote Down

MySQL 5.7.4 has added two fields to the mysql.user table — password_last_changed, a timestamp and password_lifetime, a small but unsigned integer. Several blogs ago I started to cobble together a password expiration tracking script before these two columns were added. But I could see three ways of tracking expired passwords but none of them were palatable. Todd Farmer was working on a similar idea.

So when you run mysql_upgrade after upgrading to 5.7.4, you will find these two new columns. The password_last_changed will be set to the time you ran the upgrade and password_lifetime will be set to null.

You can set global password lifetime policy in the options file.
[mysqld]


  [Read more...]
Heartbleed OpenSSL Bug: Impact on ClusterControl Users & Recommendations on How to Protect your Systems
+0 Vote Up -0Vote Down
April 10, 2014 By Severalnines

 

In the wake of recent concerns and debates raised around the Heartbleed bug, we wanted to update Severalnines ClusterControl users on any impact this bug might have on ClusterControl & associated databases and/or applications.

 

Background

 

If your ClusterControl's web application has been accessible on the internet, then most likely you have also been exposed to the Heartbleed OpenSSL security bug, see: http://heartbleed.com for more details. 

By default, our database deployment script enables SSL encryption for the

  [Read more...]
Heartbleed: Separating FAQ From FUD
+1 Vote Up -0Vote Down

If you’ve been following this blog (my colleague, David Busby, posted about it yesterday) or any tech news outlet in the past few days, you’ve probably seen some mention of the “Heartbleed” vulnerability in certain versions of the OpenSSL library.

So what is ‘Heartbleed’, really?

In short, Heartbleed is an information-leak issue. An attacker can exploit this bug to retrieve the contents of a server’s memory without any need for local access. According to the researchers that discovered it, this can be done without leaving any trace of compromise on the system. In other words, if you’re vulnerable, they can steal your keys and you won’t even notice that they’ve gone missing. I use the word

  [Read more...]
Redefining –ssl option
Employee +4 Vote Up -0Vote Down

MySQL clients have long had a –ssl option.  Casual users may think specifying this option will cause clients to secure connections using SSL.  That is not the case:

D:\mysql-5.6.13-winx64>bin\mysql -uroot -P3307 --ssl
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.6.13-log MySQL Community Server (GPL)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \s
--------------
bin\mysql  Ver 14.14 Distrib 5.6.13, for Win64 (x86_64)

Connection id:          2
Current database:
Current user:           root@localhost
  [Read more...]
Password expiration policy in MySQL Server 5.7
Employee +1 Vote Up -0Vote Down

I’ve previously noted my wish to have a comprehensive password policy in MySQL Server.  MySQL Server 5.7.4 takes a significant step towards this goal by adding native support for enforcing password lifetime policy.  This complements the validate_password plugin introduced in MySQL Server 5.6, which helps ensure adequate password complexity, and builds on the password expiration mechanism also introduced in MySQL Server 5.6.  This new feature has a

  [Read more...]
Notes on the AES encryption in MySQL
+2 Vote Up -0Vote Down
Oracle has improved the AES encryption/decryption functions in MySQL 5.6.17. They improved it a lot and posted a blog which explains all the details.

If you would like to know more about encryption there are two resources I would recommend:
  • The Code Book by Simon Singh. This is about the history of cryptography, but it also includes a lot of information about crypto which is currently in use. This is also a very entertaining read.
  • Crypto 101, a free/opensource book which gives a intro to crypto. The webpage also has a video of the talk on which the book is based.
And if you're going to use the AES encryption


  [Read more...]
MySQL 5.6.17 – now with better encryption
Employee +1 Vote Up -0Vote Down

Joro wrote recently about MySQL 5.6.17‘s new support for AES-256 encryption, and it’s a great improvement for people need to encrypt their data at rest.  The new session block_encryption_mode variable controls what variant of AES is used, and for backwards compatibility, the default behavior remains 128-bit key length with ECB block cipher mode.  If you’re happy with that level of encryption, nothing changes – your existing code will work the same on 5.6.17 as it has on earlier versions (note that users of

  [Read more...]
Understand and satisfy your AES encryption needs with 5.6.17
Employee_Team +3 Vote Up -0Vote Down

MySQL, starting from 4.0.2, had AES encryption and decryption functions. They are compiled with support for pure independent block by block encryption mode (ECB), using a 128 bit key.

128 bits is plenty enough! And sufficient for everybody! And who would even want to go to the trouble of dealing with initialization vectors? At least that’s what they probably thought when introducing these functions back in 2002 in MySQL 4.0.2.

But I believe in giving people a choice. Read below on why choice is important.

Does (key) size matter ?

The biggest threat that longer keys protect against is brute force attacks. Fast forward 12 years since the introduction of these great SQL functions.  Brute-forcing shorter keys doesn’t sound as impossible as it

  [Read more...]
Database security: Why should you review yours?
+0 Vote Up -0Vote Down

Ah database security… the black sheep of topics and something you would really rather not have to deal with right?

I mean surely all the fanfare and paranoia is reserved for the neck beards with tinfoil hats whom live in their own D.I.Y Faraday cage … that must be it … it just has to be?

No, the hard reality is the world is not rose tinted and “they” are out to get you be it for fun or for profit; from defacements to theft compromising your applications, and more importantly your data is big business. For some these acts are nothing short of sheer entertainment for an otherwise boring evening. (I’ll be speaking about this topic next week in much more detail at the Percona Live MySQL Conference and Expo in

  [Read more...]
MaxScale has now its own public irc channel
+1 Vote Up -0Vote Down

MaxScale is a Proxy for the MySQL protocol built with a modular architecture. The underlying concept of modules allows to extend the MaxScale proxy services. The current version implements Read Write splitting and Connection Load Balancing. Internally MySQL queries go through a SQL parsing phase. This gives MaxScale great capabilities regarding queries routing.

So if [...]

Recovering MySQL access
+1 Vote Up -0Vote Down
Ever found yourself working on a MySQL server where root’s password is unavailable? It has happened to me a few times, always because the person who set up the DB left the place long ago, and this information was not documented anywhere. If you have root access to the OS, MySQL lets you restart the […] Related posts:
  • Using MySQL Proxy to benchmark query performance By transparently sitting between client and server on each request,...
  • Using MySQL sandbox for testing MySQL Sandbox is a great tool for quickly deploying test...
  • Indexing text columns in MySQL This time, I’m talking about indexes for
  •   [Read more...]
    How to get MySQL Critical Patch Updates and Security Alerts notices
    Employee +1 Vote Up -0Vote Down

    Beware of bugs in the above code; I have only proved it correct, not tried it.
    Donald Knuth

    Bugs in software are a fact of life. MySQL, as part of Oracle, issues of Critical Patch Updates and Security Alerts notices. You may have seen Daniel van Eeden‘s blog on the January announcement.

    Daniel’s summary:

    For MySQL 5.6 you should upgrade to 5.6.15
    For MySQL 5.5 you should upgrade to 5.5.35
    For MySQL 5.1 you should upgrade to 5.1.73

    But you probably missed the executive summary.

    But how do




      [Read more...]
    MySQL in Oracle Critical Patch Update Advisory January 2014
    +0 Vote Up -0Vote Down
    Oracle has released the Critical Patch Update (CPU) advisory for January 2014.

    The affected MySQL products are:
    • Oracle MySQL Enterprise Monitor, versions 2.3, 3.0 
    • Oracle MySQL Server, versions 5.1, 5.5, 5.6
    So this means that you should consider updating MySQL. For MySQL Enterprise the updates should be available on My Oracle Support and for the Community version the new versions are on the regular download locations. I guess the official repositories are already updated.

    For MySQL 5.6 you should upgrade to 5.6.15
    For MySQL 5.5 you should upgrade to 5.5.35
    For MySQL 5.1 you should upgrade to 5.1.73

    If you use the MySQL release from your








      [Read more...]
    OurSQL Episode 164: Who's Doing What?
    +0 Vote Up -0Vote Down

    This week we talk about how to install and use the MariaDB Audit plugin, and what the audit log looks like. Ear Candy presents a gotcha with MySQL and temporary directories, and At the Movies is about using Dynamo for more than just a data store.

    Events
    DB Hangops - every other Wednesday at noon Pacific time

    Upcoming MySQL events (http://www.mysql.com/news-and-events/events/)

    Training
    SkySQL Trainings
    Tungsten University trainings

    read more

    MySQL encryption performance, revisited
    +1 Vote Up -0Vote Down

    This is part two on a two-part series on the performance implications of in-flight data encryption with MySQL. In the first part, I focused specifically on the impact of using MySQL’s built-in SSL support with some rather surprising results. Certainly it was expected that query throughput would be lower with SSL than without, but I was rather surprised by the magnitude of the performance hit incurred at connection setup time. These results naturally lended themselves to some further investigation; in particular, I wanted to compare performance differences between MySQL’s built-in SSL encryption facilities and external encryption technologies, such as SSH tunneling. I’ll also be using this post to address a couple of questions posed in the comments on my

      [Read more...]
    Auditing MySQL With Mcafee Audit Plugin
    +0 Vote Up -0Vote Down
    Send to Kindle

    Audit MySQL isn’t an easy task by default, you can use some technics like tcpdump, write a parser for general log, use MySQL proxy, or you can use some of audit plugins available out there(Mcafee MySQL Audit Plugin or MySQL Enterprise Audit Log Plugin for example).

    On this post I’ll cover the Mcafee MySQL Audit Plugin (https://github.com/mcafee/mysql-audit), on a follow-up post I’ll talk about MySQL Enterprise Audit Log Plugin.

    The installation is easy and require just a few steps, I’m using MySQL 5.5 32 bits, so I’ll download the files for

      [Read more...]
    SSL Performance Overhead in MySQL
    +1 Vote Up -0Vote Down

    NOTE: This is part 1 of what will be a two-part series on the performance implications of using in-flight data encryption.

    Some of you may recall my security webinar from back in mid-August; one of the follow-up questions that I was asked was about the performance impact of enabling SSL connections. My answer was 25%, based on some 2011 data that I had seen over on yaSSL’s website, but I included the caveat that it is workload-dependent, because the most expensive part of using SSL is establishing the connection. Not long thereafter, I received a request to conduct some more specific benchmarks surrounding SSL usage in MySQL,

      [Read more...]
    MySQL Connect HOL content posted
    Employee +1 Vote Up -0Vote Down

    Just a quick post to note that the content from my hands-on lab at MySQL Connect (“MySQL Enterprise Features in Practice”) has been uploaded to the content catalog, and can be found here.  This includes the 36-page lab manual and example commands and programs (mostly in Java; the package includes both compiled and source code).  For those who attended the lab, this is an opportunity to complete the exercises we didn’t get to in the 2.5 hours, and for those who missed it, an opportunity to learn more about the features and capabilities of key MySQL Enterprise products and features such as MySQL Enterprise Audit plugin, MySQL Enterprise Monitor

      [Read more...]
    Creating custom rules in MySQL Enterprise Monitor
    Employee +3 Vote Up -0Vote Down

    Quite some time ago, I published scripts to implement password policies for MySQL, and promised to show how to expose violations of that policy via MySQL Enterprise Monitor (MEM).  That stalled somewhat with other objectives, but I want to revisit it now that MEM 3.0 is GA.  If you haven’t tried MEM 3.0 yet, consider doing so – it’s quick and easy to set up.

    Many people don’t realize that MEM can be extended to monitor things beyond MySQL Server health, including visibility into application state as

      [Read more...]
    Introducing audit_login: simple MySQL login logfile based auditing
    +2 Vote Up -0Vote Down

    audit_login is a simple MySQL login auditing plugin, logging any login or login attempt to log file in JSON format.

    It seems that audit plugins are all the rage lately... We've developed out simple plugin a month ago as part of our database securing efforts; by auditing any login or login attempt we could either intercept or later investigate suspicious logins.

    However we quickly realized there is much more to be gathered by this info.

    In very short, you install this plugin onto your MySQL server, and your server starts writing into a text file called audit_login.log entries such as follows:

    {"ts":"2013-09-11
      [Read more...]
    News : MariaDB Audit Plugin beta is out
    +4 Vote Up -0Vote Down

    By going to the download section of  SkySQL website  some users have noticed “MariaDB Audit Plugin”. This auditing feature for MySQL has been requested by more and more customers. Legal constraints make it mandatory for more and more companies to keep logging information about database access and activity.

    It is very important for the MySQL [...]

    Implementing a host blacklist with MySQL privileges
    Employee +3 Vote Up -0Vote Down

    When I saw Shlomi’s recent post which asked (in part) for blacklist support in MySQL, I started thinking about ways in which this could be done using the tools we have today.  Here’s the example requirements Shlomi noted:

    Speaking of whitelist, it would be great to have a host blacklist. If I wanted to grant access to ‘gromit’@’192.168.%’ except for ’192.168.10.%’ — well, I would have to whitelist all the possible subnets. I can’t exclude a set of hosts.

    I think that’s entirely possible without the overhead of whitelisting all possible subnets – let’s give it a go!

    This solution will rely on the fact that the first step in

      [Read more...]
    MySQL security top wish list
    +3 Vote Up -0Vote Down

    Security seems to have no boundaries. I've been tightening our database security lately, and it seems like this could go on forever: from app to console to privileges to server, there are so many aspects to managing database security. Unfortunately, this is a field where MySQL is in particular weak, and with very little work done in the many years I've been working with MySQL.

    My very own top-wanted security features for MySQL follows. Surely this is but a small subset, your mileage may vary.

    Autherntication-only SSL

    By default, MySQL client API is unencrypted and passwords are sent in cleartext. MySQL supports SSL, but it an "all or nothing" deal: if you want to use SSL, then everything goes by SSL: any query, SELECT, DDL and whatnot.

    [UPDATE]: Thanks to Davi & Jan for correcting me on this: passwords are not sent via

      [Read more...]
    Tungsten-Replicator 2.1.1 with better installation and built-in security
    +1 Vote Up -0Vote Down


    UPDATE 2013-08-30: Tungsten 2.1.2 was released.

    UPDATE 2013-08-23: We have found a few problems that happen when replicating with RBR and temporal columns. We will have to publish an updated bugfix release quite soon.

    Tungsten Replicator 2.1.1 is out. Key features in this release are:

    • A better installer, of which we have already given a preview in tpm, the multi-master composer. The new installer allows faster and more powerful deployments of both single and multiple masters topologies. And it also allows the next feature:
    • Secured communication layer. Now the replicator data and

      [Read more...]
    Understanding max_connect_errors
    Employee +3 Vote Up -0Vote Down

    To only slightly misquote one of the greatest movies of all times:

    You keep using that option.  I do not think it means what you think it means.

     

    Perhaps like many users, I had certain assumptions about what max_connect_errors really does – but in looking closely as part of investigating the new PERFORMANCE_SCHEMA.HOST_CACHE table in MySQL 5.6, I learned that some very fundamental elements had escaped my notice.  I’m writing this blog post to help others who hold similar misconceptions of what this option does.

    Many, if not most, MySQL DBAs are familiar with “host blocked”

      [Read more...]
    MySQL 5.6 users – prevent host blocked errors
    Employee +2 Vote Up -0Vote Down

    The much-improved PERFORMANCE_SCHEMA in MySQL 5.6 provides visibility into MySQL’s host cache, including the ability to monitor for impending blocked hosts.  You can do this with the following query:

    mysql> SELECT
        ->  ip,
        ->  host,
        ->  host_validated,
        ->  sum_connect_errors
        -> FROM performance_schema.host_cache\G
    *************************** 1. row ***************************
                    ip: 192.168.2.4
                  host: TFARMER-MYSQL.wh.oracle.com
        host_validated: YES
    sum_connect_errors: 3
    1 row in set (0.02 sec)

    That’s helpful information, and allows DBAs to identify problematic hosts before they are blocked.  Due to Bug#69807,

      [Read more...]
    Improved Security with MySQL 5.6
    +3 Vote Up -0Vote Down

    Installed on a clean CentOS 6.4 AWS instance.

    sudo su -
    cd /tmp
    wget http://cdn.mysql.com/Downloads/MySQL-5.6/MySQL-5.6.13-1.el6.x86_64.rpm-bundle.tar
    tar xvf MySQL-5.6.13-1.el6.x86_64.rpm-bundle.tar
    yum install -y libaio perl
    rpm -i MySQL*.rpm
    

    The following output is the sign that security is being considered with new MySQL versions. Woot!

    A RANDOM PASSWORD HAS BEEN SET FOR THE MySQL root USER !
    You will find that password in '/root/.mysql_secret'.
    
    You must change that password on your first connect,
    no other statement but 'SET PASSWORD' will be accepted.
    See the manual for the semantics of the 'password expired' flag.
    
    Also, the account for the anonymous user has been removed.
    
    In addition, you can run:
    
      /usr/bin/mysql_secure_installation
    
    which will also give you the option of removing the test database.
    This is strongly recommended for
      [Read more...]
    Practical P_S: From which hosts are connections being attempted?
    Employee +2 Vote Up -0Vote Down

    MySQL Server has an aborted_connect status counter which will show you the number of failed attempts to establish a new connection.  The manual describes potential causes as follows:

      [Read more...]
    The network is reliable
    +2 Vote Up -0Vote Down

    A fascinating post-mortem on high profile network failures:

    This post is meant as a reference point–to illustrate that, according to a wide range of accounts, partitions occur in many real-world environments. Processes, servers, NICs, switches, local and wide area networks can all fail, and the resulting economic consequences are real. Network outages can suddenly arise in systems that are stable for months at a time, during routine upgrades, or as a result of emergency maintenance. The consequences of these outages range from increased latency and temporary unavailability to inconsistency, corruption, and data loss. Split-brain is not an academic concern: it happens to all kinds of systems–sometimes for days on end. Partitions deserve serious consideration.

    MySQL 5.6 Experiences - .mylogin.cnf and mysql_config_editor
    +0 Vote Up -0Vote Down
    Having  basic ideas of how I am going to describe new features explained, I can proceed with some real (and I hope useful) content. As I read this page about new features from top to bottom, let's start with security improvements...

    .mylogin.cnf and mysql_config_editor

     

    Details:

    • you can store authentication credentials encrypted in an option file named .mylogin.cnf (in user's home directory or in %APPDATA%\MySQL on Windows)
    • password is no longer stored in plain text (like in .my.cnf) and still is not exposed in


      [Read more...]
    Showing entries 1 to 30 of 243 Next 30 Older Entries

    Planet MySQL © 1995, 2014, Oracle Corporation and/or its affiliates   Legal Policies | Your Privacy Rights | Terms of Use

    Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.