We’ll show you, how to secure LEMP stack. LEMP, it stands for Linux, (EngineX) NGINX, MariaDB (or MySQL) and PHP. Due to its flexibility and simplicity, NGINX slowly takes over the Internet. In this tutorial, we will attempt, through examples of bad and good practices, to go through the steps of properly securing your Linux web server. […]

This blog post examines the recent MySQL® ransomware attacks, and what open source database security best practices could have prevented them.

Unless you’ve been living under a rock, you know that there has been an uptick in ransomware for MongoDB and Elasticsearch deployments. Recently, we’re seeing the same for MySQL.

Let’s look and see if this is MySQL’s fault.

Other Ransomware Targets

Let’s briefly touch on how Elasticsearch and MongoDB became easy targets…

Elasticsearch

…

Please join Sveta Smirnova, Percona’s Principal Technical Services Engineer, as she presents Troubleshooting MySQL Access Privileges Issues on
February 23, 2017 at 11:00 am PST / 2:00 pm EST (UTC-8).

Do you have registered users who can’t connect to the MySQL server? Strangers modifying data to which they shouldn’t have access?

MySQL supports a rich set of user privilege options and allows you to fine tune access to every object in the server. The latest versions support authentication plugins that help to create more access patterns.

However, finding errors in …

In this blog we are going to explore about innodb tablespace encryption technique, which will be useful for securing data.

In MySQL 5.7, a new feature “Innodb Tablespace Encryption“has been added to protect the data at rest. This is a most awaited feature in security. This encryption supports all file per table tablespaces and it will not  support shared tablespace. This encryption technique works on the basis of rotating  key files. There are two types of keyring plugins available for the key management and they are given below

• keyring_file plugin – Available in all MySQL versions.

• keyring_okv plugin – Available in MySQL Enterprise Edition.

Architecture:

Innodb tablespace encryption uses two tier encryption architecture, in which it has master encryption key …

If you are using Percona XtraBackup with

xbcrypt

 to create encrypted backups, and are using versions older than 2.3.6 or 2.4.5, we advise that you upgrade Percona XtraBackup.

Note: this does not affect encryption …

The MariaDB audit plugin is an audit plugin that is bundled with MariaDB server. However, even though it is bundled with MariaDB, the plugin is actually compatible with MySQL as well. In this blog post, I will describe how to install the plugin with MySQL. Install the plugin Unfortunately, neither MariaDB Corporation nor MariaDB Foundation currently distribute a standalone binary ... Read More

Using Vault with MySQL

In my previous post I discussed using GPG to secure your database credentials. This relies on a local copy of your MySQL client config, but what if you want to keep the credentials stored safely along with other super secret information? Sure, GPG could still be used, but there must be an easier way to do this.

This post will look at a way to use Vault to store your credentials in a central location and use them to access your database. For those of you that have not yet come across Vault, it is a great way to manage your secrets – securing, storing and tightly controlling access. It has the added benefits of being able to handle leasing, key revocation, key rolling and auditing.

During this blog post we’ll accomplish the following …

It’s been a busy month for file vulnerabilities. Thanks to Dawid Golunski at legalhackers.com for giving us all the opportunity to tighten security in our MySQL, MariaDB, and Percona Server instances.

Details were released for the CVE 6663 mentioned last week and for a new CVE 6664:

http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html

http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html

Note that 6664 is dependent on 6663, and 6663 can be mitigated by turning off symbolic_links (=0). Upgrade to the latest versions also fixes the problem. Regardless, the attacker …

It is a common auditing requirement to log user connection events, including whether or not authentication was successful.
There are a number of alternatives available for MySQL, but unfortunately there is no built-in functionality at the time of this writing. In this post we will discuss auditing MySQL users with McAfee plugin, which is available under GPL Version 2 license.

Installation instructions

These apply to debian-based hosts, but instructions for red hat are similar.

1. Download latest plugin release from github.

At the time of this post for MySQL 5.5 you can get:

wget https://bintray.com/mcafee/mysql-audit-plugin/download_file?file_path=1.0.9-release%2Faudit-plugin-mysql-5.5-1.0.9-585-linux-x86_64.zip

2. Decompress …

At our September 2016 New York City MySQL Meetup was a demonstration of how to implement role-based security in MySQL using Hexatier. In addition, several other important security features demonstrated included role based dynamic data masking down to a per column level and full statement auditing.

Thanks to Scott Unrick, Lead Database Administrator at Teladoc for the great presentation. Slides are available here.

Hexatier – MySQL Role-based Security & Data Masking from …