I’ve been working with a client recently who has SELinux on his servers. It has been quite a struggle sometimes.
My colleages tell me that SELinux has a pretty noticeable performance impact. I am not sure if we have benchmarks to support this; at any rate, the client said it’s OK, we’ll take the performance hit.
There [...]
This Monday, September 8th, the Boston MySQL User Group broke our 2-month summer hiatus with a presentation on MySQL Views.
The slides can be downloaded from http://www.technocation.org/files/doc/2008_09_Views.pdf -- 89 kB, .pdf format.
The 199 Mb .flv file can be downloaded at http://technocation.org/node/621/download or played directly in your browser at http://technocation.org/node/621/play.
The presentation covers:
If you are security conscious and nowadays who isn’t?, you may
have pondered over ways to make your external SSH connection
safer.
Of course there’s always One-time Passwords and Public Keys, but if like me you watch the
daily barrage of brute force attacks you may be thinking it’s
only a matter of time…
That’s what I was thinking at about the same time an SMS arrived on my mobile….then it hit me….I take my mobile everywhere, if only my server could call me and ask if it is really me trying to log in.
My first instinct was to try and insert a Perl or Python script into the login process. After all …
[Read more]Last week I gave my first webinar for MySQL titled “Bau sicherer LAMP Anwendungen”. The webinar, which was a cooperation between MySQL and my company SektionEins, was held in german, covered SQL-Malware, SQL-Injection, safe programming and some tools to detect and block SQL-Injection attacks.
The recording of this webinar is now available on the MySQL site.
For those that only want to see my slides they are available on the MySQL site after registration or here.
Because it was a german webinar the recording and slides are in german, too.
While SQL-Injection is one of the most discussed security problems in web applications other possible problems for SQL queries like overlong input are usually ignored although they can lead to all kinds of security problems.
This might be caused by the fact that security problems that are the result of overlong input are often buffer overflows and buffer overflows are something many web application security experts know nothing about and choose to ignore.
There are however several security problems for SQL queries that are caused by overlong input and no one talks about.
max_packet_size
In MySQL there exists a configuration option called max_packet_size which is set to one megabyte by default and controls the maximum size of a packet sent between the SQL client and server. When queries or result rows do not fit into a single packet a error is raised. This means an overlong SQL query is never sent to the server …
[Read more]I previously reported about my joy with MySQL-Proxy and a simple SQL-Injection detection based on a simple heuristic.
Today I present the more interesting approach that I promised to publish after my webinar yesterday. This approach is based on the idea that SQL queries issued by an application always have a certain structure. This structure can be learned and remembered by MySQL-Proxy. Any SQL query that has a different structure can then be considered an attack.
Training Mode
The first Lua script learn_sql_queries.lua uses MySQL-Proxy’s read_query hook to catch COM_INIT_DB and COM_QUERY packets. COM_INIT_DB packets are issued when the database is …
[Read more]Josh Berkus' "Safe Data is Happy Data" (originally entitled "Lock Up Your Data") goes talks about defense in depth -- going beyond firewalls and other "perimeter defense" mechanisms such as middleware and web server tools. Berkus explains "full-stack security" including preventing SQL injection, data abstraction, database permissions, and even what to do after an attack.
Stream directly online at http://technocation.org/node/591/play or download the 346 Mb .wmv file at .
From the official OSCon description:
“MySQL Proxy is a simple program that sits between your client and MySQL server(s) that can monitor, analyze or transform their communication. Its flexibility allows for unlimited uses; common ones include: load balancing; failover; query analysis; query filtering and modification; and many more.”
The flexibility of MySQL Proxy is based on the fact that every aspect is scriptable with Lua. Because I am new to MySQL Proxy and the Lua language I tried to implement a very simple script that waits for incoming SQL queries, tokenizes them and tries to detect SQL Injection heuristically by searching for certain disallowed SQL functions, databases, tables, statements or comments. When an SQL query is believed to contain an SQL injection is it not executed and a “Possible SQL …
[Read more]At the 2008 MySQL User Conference and Expo, Brian Miezejewski gave a workshop on "Securing MySQL for a Security Audit".
I have already blogged about this keynote at http://www.pythian.com/blogs/948/liveblogging-who-is-the-dick-on-my-site.
If you are interested in actually seeing the video, the 286 Mb .wmv file can be downloaded at http://technocation.org/videos/original/mysqlconf2008/2008_04_17_panelDick.wmv and played through your browser by clicking the "play" link here. This is not to be missed!