The Challenge Often with sensitive information, you need to have an audit log. Not just that a table had a select run, but that specific cells within the table were accessed. Frequently data such as this will contain a classification level as part of the row, defining policies for how it is handled, audited, etc.… Facebook Twitter LinkedIn
10 Older Entries »
ProxySQL Firewall Overview
ProxySQL’s flexible query rules engine has many uses, from Read/Write splitting, sharding and even creating firewall blacklist. This allows ProxySQL to be loved by both Performance and Security-minded engineers.
Starting in ProxySQL 2.0.9, ProxySQL has another Security feature: the Firewall Whitelist.
Modeled on MySQL Enterprise Firewall, this allows a security-conscious administrator to tune access to only allow certain queries.
Imagine a situation where your webapp gets hacked, which exposes your user’s database credentials.
If your webapp connects directly to the database, the malicious user can do what they want to your data with the same permissions your webapp has.
So perhaps they can’t just DROP TABLE because you’ve smartly removed DDL permissions …[Read more]
A long long time ago (in a galaxy far away… cue the music!) MySQL added support for an authentication plugin which is now known as mysql_native_password. The mysql_native_password plugin uses SHA1 hash to
- Store the password(SHA1(SHA1(password)) in mysql.user table
- Authenticate user
One of the good traits of this plugin is that it allows authentication using …[Read more]
In most cases, MySQL password instructions provide information on changing MySQL user passwords on the production system (e.g., reset root password without restart). It is even recommended to change passwords regularly for security reasons. But still, sometimes DBA duties on legacy systems offer surprises and you need to recover the original password for some old users.
There is no magic: as long as only hashes are stored and not the original passwords, the only way to recover the lost password is to brute force it from the known hash.
Note on Security and mysql-unsha1 Attack
Interestingly, if a hacker has access to password hash and can sniff mysql traffic, he doesn’t need to recover a plain text password from it. It doesn’t matter how strong the password and how strong the hashing …[Read more]
Day-to-day database operation requires, from an administrator, deep knowledge of db internals and security issues, in particular things like SQL injections. In order to prevent such kind of an attack, we have included go-sql-driver into our code for secure placeholder escaping.
Unfortunately, not all cases are secured by the driver.
In case we are using the standard driver for working with MySQL, if we need to pass a variable to the database query, we use a placeholder “?” in order for the server to understand that it needs to process the incoming variable to avoid injection. It works fine with just regular SELECT/INSERT/UPDATE statements, but, unfortunately, MySQL server is not able to process all types of queries.
db.Exec("CREATE USER ?@? IDENTIFIED BY ?", name, host, pass)
This query will return an error from the …[Read more]
In systems nowadays, improving security is a must! One of the weakest links in the security system is the user password from where an attacker can enter. In order to improve password strength and security, MySQL provides a plugin called “Validation plugin” which can be configured to enforce a set of rules for passwords.
The plugin can be enabled by executing the following at runtime:
INSTALL PLUGIN validate_password SONAME 'validate_password.so';
Or by adding the plugin in the configuration file, but this requires bouncing MySQL for it to take effect:
It’s also suggested to add the following variable in my.cnf so that the plugin cannot be removed at runtime (also requires a MySQL bounce to take effect):
Checking Installation …[Read more]
MySQL, arguably the most popular relational database, is used pretty extensively at the popular professional social network LinkedIn. At Percona Live ONLINE 2020, the company’s flagship event held online for the first time due to the Covid-19 pandemic, Karthik Appigatla from LinkedIN’s database SRE team discussed the company’s approach to securing their database deployment without introducing operational hiccups or adversely affecting performance.
Instead of just performing admin duties, Karthik’s team builds automated tools to scale their infrastructure, and he talked about some of these tailored tools in his presentation. The database SREs on his team also work with the developers at LinkedIn and help them streamline their applications to make best use of the database.
Talking about LinkedIn’s reliance on MySQL, Karthik said that not only do all their infrastructural tools rely on MySQL, many of the internal …[Read more]
DBA can configure user accounts such that too many consecutive login failures cause temporary account locking.
The post MySQL Security - Failed-Login Tracking and Temporary Account Locking first appeared on dasini.net - Diary of a MySQL expert.
The authentication, the first level of security for each IT system, is the stage to verify the user identity through the basic username and password scheme. It is crucial to have a mechanism to protect and secure password storing and transmitting over network.
In MySQL, there is plenty of different authentication methods available, and last versions improved the security of this concept.
At the beginning, the mechanism, called mysql_old_password, was pretty insecure: it’s based on a broken hashing function and the password is 16 bytes long. It was not so complex for attackers to find a plaintext password from the hash stored in the password column of …
10 Older Entries »