Professional Documents
Culture Documents
Database Security
Database Security
Uploaded by
Nguyễn Thọ NguyênCopyright
Available Formats
Share this document
Did you find this document useful?
Is this content inappropriate?
Report this DocumentCopyright:
Available Formats
Database Security
Database Security
Uploaded by
Nguyễn Thọ NguyênCopyright:
Available Formats
I HC CNG NGH THNG TIN HQG TPHCM
DATABASE SECURITY
MYSQL SECURITY
Bi Lap s 3 mn hc Xy Dng Chun Chnh Sch Cho Doanh Nghip Gio vin hng dn: Nguyn Duy Sinh vin thc hin:
08520260 Nguyn Th Nguyn 08520386 Phm Minh Thnh 08520047 Trnh Xun Cng
4/2012
MMT03 - I HC CNG NGH THNG TIN HQG TPHCM
Ni dung
Li m u: ................................................................................................................................................... 2 I. 1. 2. 3. 4. 5. 6. II. 1. 2. III. 1. 2. IV. Tng quan v an ninh trong MYSQL...................................................................................................... 3 S lc v bo mt ........................................................................................................................... 3 Bo mt password trong MYSQL ...................................................................................................... 4 Bo mt password cho cc ti khon qun tr .............................................................................. 4 Bo v password cho ngi dng ................................................................................................. 4 Chui bm password trong MYSQL .............................................................................................. 5 Bo v MYSQL khi nhng k tn cng ............................................................................................ 6 Bo mt vi mysqld........................................................................................................................... 7 Bo mt vi LOAD_DATA_LOCAL ...................................................................................................... 8 Hng dn an ninh trong vic lp trnh ............................................................................................ 9 H thng c quyn truy cp MYSQL ................................................................................................. 10 H thng c quyn cung cp bi MYSQL ...................................................................................... 11 H thng bng c quyn GRANT ................................................................................................... 13 Qun l ti khon trong MYSQL ...................................................................................................... 14 User name v password: ................................................................................................................. 14 Thm mi mt ti khon: ............................................................................................................... 14 Gii thiu chng trnh Acunetix Web Vulnerability Scanner 8..................................................... 15
Trang 1 XY DNG CHUN CHNH SCH CHO DOANH NGHIP DATABASE SECURITY
MMT03 - I HC CNG NGH THNG TIN HQG TPHCM
Li m u:
Thng tin lun l mt ti sn v gi ca doanh nghip v cn c bo v bng mi gi. Tuy nhin, vi nhng i hi ngy cng ngt gao ca mi trng kinh doanh yu cu doanh nghip phi nng ng chia s thng tin ca mnh cho nhiu i tng khc nhau qua Internet hay Intranet (mng Internet trong ni b doanh nghip), vic bo v thng tin tr nn ngy cng quan trng v kh khn hn bao gi ht. Hu ht cc doanh nghip ngy nay u s dng cc h qun tr c s d liu (CSDL) lu tr tp trung tt c cc thng tin qu gi ca mnh. Hin nhin h thng ny s l tiu im tn cng ca nhng k xu. mc nh, cc tn cng s lm h thng CSDL b hng hc, hot ng khng n nh, mt mt d liu lm cho cc giao dch hng ngy ca doanh nghip b nh tr. Nghim trng hn, cc thng tin sng cn ca doanh nghip b tit l (nh chin lc kinh doanh, cc thng tin v khch hng, nh cung cp, ti chnh, mc lng nhn vin,) v c em bn cho cc doanh nghip i th. C th ni l thit hi ca vic thng tin b r r l v cng kinh khng. s l mt n ch mng i vi uy tn ca doanh nghip i vi khch hng v cc i tc. Ni dung chnh trong bi vit ny l phn tch cc ri ro c th gy nguy hi cho c s d liu, ng thi a ra nhng phng n, khuyn ngh gip cho vic bo v c s d liu. Bi vit ly h qun tr c s d liu MYSQL lm v d. Tuy nhin, cc h qun tr c s d liu khc cng c nhng phng n tng t.
Trang 2 XY DNG CHUN CHNH SCH CHO DOANH NGHIP DATABASE SECURITY
MMT03 - I HC CNG NGH THNG TIN HQG TPHCM
I.
Tng quan v an ninh trong MYSQL
1. S lc v bo mt
Ni chung v vn bo mt, lun cn c mt s bo v y my ch lu tr ( khng ring cho my ch MYSQL ) khi cc cuc tn cng ng dng nh: nghe ln, thay i, pht li, t chi dch v . Bo mt trong MYSQL c bn da trn Access Control Lists (ACLs) cho tt c cc kt ni, truy vn, v nhng ng dng khc c nhu cu kt ni ti. Ngoi ra n cng h tr kt ni m ha SSL gia my khch MYSQL v my ch. Nhng tho lun y khng phi ch dnh ring cho MYSQL, nhng { tng chnh ging nhau c p dng cho hu ht cc ng dng c s d liu. Khi s dng MYSQL, chng ta cn ch nhng iu sau: Khng cho bt k ai ( ngoi tr ti khon root) c quyn truy xut vo bng USER trong MYSQL. l iu quan trng Tm hiu v h thng phn quyn ca MYSQL. S dng cu ln GRANT v REVOKE iu khin ng nhp cho MYSQL. Khng c phn nhiu quyn hn lng cn thit. Khng bao gi cp c quyn cho tt c cc host. Khng s dng plaintex password trong c s d liu. Nu my tnh ca bn b xm nhp, k xm nhp c th ly c ton b password v s dng n. Cho nn, s dng SHA(1), MD(5) hoc mt gii thut bm no lu tr chui bm ca password. Khng s dng 1 password c trong t in. Mt s chng trnh d tm c th tm ra c password. V d nh xfish98 l mt t rt t. Bi v n c cha t fish. Mt phng thc n gin to ra mt password kh on l ly nhng k t u ca mt cu. V d nh hm nay l mt ngy p tri th ta c password l hnl1ndt. T ny va d nh, d g m li rt kh on c. t thm Firewall. N c th chn c 50% cc cuc tn cng cc loi. t MYSQL ng sau firewall hoc trong vng DMZ. Khng truyn plantext ( d liu cha c m ha) trn Internet. S dng mt giao thc m ha nh SSL hoc SSH m ha d liu. MYSQL c h tr nhng kt ni SSL ni b. Mt cng ngh khc s dng chuyn port SSH to ra mt knh m ha ( v nn ) cho ng truyn. Tm hiu v tin ch tcpdump v strings. Trong hu ht cc trng hp, bn c th kim tra d liu ca mnh c m ha hay cha bng cch s dng lnh nh sau: shell> tcpdump -l -i eth0 -w - src or dst port 3306 | strings Cu lnh trn hot ng trn Linux v vi mt s chnh sa chy trn nhng h iu hnh khc.
Trang 3 XY DNG CHUN CHNH SCH CHO DOANH NGHIP DATABASE SECURITY
MMT03 - I HC CNG NGH THNG TIN HQG TPHCM
2. Bo mt password trong MYSQL
Bo mt password cho cc ti khon qun tr Nhng ti khon qun tr c th lm theo nhng hng dn sau gi cho password c an ton: MYSQL lu tr tt c cc ti khon trong bng user. Khng gn quyn truy cp vo bng ny cho tt c cc ti khon khng phi l ti khon qun tr. Mt ngi dng c php truy cp v chnh sa th mc plugin ( cc gi tr bin h thng ca plugin_dir) hoc tp tin my.cnf c th thay th, b sung v chnh sa cc plugin. Password c th xut hin dng vn bn gc (plaintext) trong cc cu lnh SQL nh CREATE USER, GRANT, and SET PASSWORD hay nhng cu lnh c gi nh PASSWORD(). Nu nhng cu lnh ny c lu li bi my ch MYSQL, password c th b l cho nhng ai c quyn xem nhng lc s ny. iu ny c p dng cho nhng lc s truy vn chung, lc s truy vn chm v lc s truy vn nh phn ( xem mc 5.2, MySQL Server Logs MYSQL Manual). ngn chn nhng s tip xc khng nn c ti cc tp tin lc s, chng nn c lu tr nhng thu mc ch c quyn truy cp bi server v nhng ti khon qun tr. Nhng bn backup c s d liu c cha nhng bng hoc tp lc s ghi ny phi c lu tr cn thn.
Bo v password cho ngi dng Khi bn chy mt chng trnh client kt ni ti server MYSQL, bn c th v tnh l mt khu ca mnh cho ngi khc. Nhng phng thc m bn c th l password ca mnh khi chy mt chng trnh khch c nu ra y. S dng ty chn -pyour_pass hoc --password=your_pass trn dng lnh. V d nh: shell> mysql -u francis -pfrank db_name N tin li nhng khng an ton, bi v password ca bn hin th trn mn hnh lm vic v n c th b nh cp nu c ai nhn vo mn hnh dng lnh. Mt s chng trnh client c th ghi cc i s ln cc k t ngay khi g xong, nhng vn c mt khong thi gian ngn m cc k t c hin th. Nu h iu hnh ca bn mc nh hin th dng lnh hin ti ln thanh tiu ca ca s dng lnh, password ca bn vn s b nhn thy mc d n ang chy. Hn na, ca s dng lnh cn c th cun ln xung xem li cc lnh trc . S dng ty chn p hoc password vi gi tr c trng, khi chng trnh s yu cu nhp mt khu nh sau: shell> mysql -u francis -p db_name Enter password: ******** Trang 4
XY DNG CHUN CHNH SCH CHO DOANH NGHIP DATABASE SECURITY
MMT03 - I HC CNG NGH THNG TIN HQG TPHCM K t * c hin th cho bn bit bn g password ti u. N s khng c hin th khi bn g. Cch ny an ton cho password ca bn hn l hin th n ln dng lnh, bi v n c n i vi nhng ngi khc. Tuy nhin, phng thc nhp mt khu ny ch ph hp vi nhng h thng m bn tng tc trc tip. Nu bn mun chy chng trnh client t mt script nh trc, khng c c hi nhp password t bn phm. Lu tr password trong mt tp tin ty chn. V d trong Unix, bn c mt danh sch cc password trong phn [client] ca tp tin .my.cnf trong th mc home ca bn. [client] password=your_pass gi cho password an ton, bn khng nn cho quyn truy cp tp tin ny cho bt k ai, ngoi tr bn. chc chn, t quyn ca tp tin l 400 hoc 600. shell> chmod 600 .my.cnf s dng lnh xc nh chnh xc tp tin ty chn lu tr password, s dng ty chn --defaults-file=file_name, vi file_name l ng dn y ca tp tin. V d: shell> mysql --defaults-file=/home/francis/mysql-opts Lu tr password ca bn trong bin mi trng MYSQL_PWD. Phng thc ny xc nh mt khu ca bn c coi l cc kz khng an ton v khng nn c s dng. Mt khu ca bn s b l nu mt ngi no c th kim tra mi trng ca cc tin trnh ang chy.
Chui bm password trong MYSQL Danh sch ti khon ngi dng MYSQL c lu tr trong bng user ca c s d liu mysql. Mi ti khon c n nh mt password. N c lu tr ct Password ca bng user, nhng khng phi dng plaintext m l dng chui bm ca n. Gi tr chui bm c tnh ton bi hm PASSWORD(). Mysql s dng password trong 2 pha ca kt ni client/server. Khi client c gng kt ni ti server, c mt bc xc thc m khch hng phi trnh by mt mt khu m c mt gi tr bm ph hp vi gi tr hash c lu tr trong bng ngi dng cho ti khon m khch hng mun s dng. Sau khi khch hng kt ni, n c th (nu n c c quyn) thit lp hoc thay i cc hash mt khu cho cc ti khon c lit k trong bng ngi dng. Cc khch hng c th lm iu ny bng cch s dng hm PASSWORD() to ra mt hash mt khu, hoc bng cch s dng lnh GRANT hay SET PASSWORD. V d: t password cho mt ti khon no bng lnh SET PASSWORD FOR nh sau:
Trang 5 XY DNG CHUN CHNH SCH CHO DOANH NGHIP DATABASE SECURITY
MMT03 - I HC CNG NGH THNG TIN HQG TPHCM Phng thc PASSWORD s t to ra gi tr bm cho chui nguyen v lu vo bng user. Ta c th kim tra li nh sau:
Vi phin bn MYSQL 4.1.1 tr v trc, chui bm password ch c 16 k t. Vi nhng phin bn mi hn, chui password di 41 k t nh trong hnh.
3. Bo v MYSQL khi nhng k tn cng
Khi bn kt ni ti mt MYSQL server, bn phi s dng password. Password khng c truyn dng cleartext trn kt ni. Vic x l password trong khi khch hng kt ni ti server c nng cp ln phin bn 4.1.1 l rt an ton. Nu bn vn s dng chui password trong phin bn 4.1.1 tr v trc, gii thut m ha khng mnh bng nhng gii thut mi hn. Mt s k tn cng c th bt cc gi tin c truyn gia client v server v b kha c password. Tt c cc thng tin cc u c truyn di dng text, v c th c c nu c ai c th theo di c ng truyn. Nu kt ni gia client v server i qua mt mng khng c tin tng, bn c th s dng mt gii thut nn lm ng truyn kh gii m hn. Bn cng c th s dng SSL ni b ca MYSQL lm cho kt ni an ton hn. Hn na, c th s dng SSH m ha kt ni TCP/IP gia client v server MYSQL. Bn c th tm thy mt SSH client m ngun m ti http://www.openssh.org v bn thng mi ti http://www.ssh.com. lm cho h thng MYSQL an ton hn, bn c th cn nhc nhng vn sau: Yu cu tt c cc ti khon u phi c mt password. Khng chy MYSQL server vi ti khon root trong h thng UNIX. Bi v bt k ngi s dng no vi c quyn FILE cng c th gy nguy hi cho h thng bng cch to file nh root. ngn chn iu ny, mysqld t chi chy vi quyn root, tr khi c ch nh r rng bng ty chn user= root. Khng gn quyn PROCESS hay SUPER cho ti khon khng phi l administrator. Lnh SHOW PROCESSLIST() c th hin th trng thi ca cc chng trnh ang c thc thi. Do , bt k ngi no c cho php xem cc tin trnh ca server u c th xem trng thi ca nhng user khc, v d UPDATE user SET password=PASSWORD('not_secure'). Trang 6 XY DNG CHUN CHNH SCH CHO DOANH NGHIP DATABASE SECURITY
MMT03 - I HC CNG NGH THNG TIN HQG TPHCM Khng gn quyn FILE cho nhng ti khon khng phi l administrator. Bt k ngi dng no cng c th to mt tp tin bt k u trn h thng vi mysqld. Quyn FILE c s dng c bt k tp tin no trong vng c th c hay vi quyn hn ca ti khon h thng ang c chy trong Unix server. iu ny c th b lm dng, v d, bng cch s dng LOAD DATA ti /etc/passwd vo mt bng, m sau c th c vi SELECT. Nu bn khng tin tng vo DNS, bn nn s dng a ch IP thay cho hostname trong bng phn quyn grant table. Nu bn mun hn ch s lng kt ni cho php t mt ti khon, bn c th lm c iu bng cch t gi tr max_user_connections trong mysqld.
4. Bo mt vi mysqld
Bng tm lc cc ty chn v gi tr: Name allow-suspicious-udfs automatic_sp_privileges chroot des-key-file local-infile - Variable: local_infile old-passwords - Variable: old_passwords safe-show-database safe-user-create secure-auth - Variable: secure_auth secure-file-priv - Variable: secure_file_priv skip-grant-tables skip-name-resolve - Variable: skip_name_resolve skip-networking - Variable: skip_networking skip-show-database - Variable: skip_show_database CMD-Line Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Option-File System var Yes Yes Yes Yes Yes Yes Global Yes Status Var Var Scope Dynamic
Global Global Both Both Global Global Global Global Global
Yes Yes Yes Yes Yes Yes Yes No No
Yes
Global Global Global Global Global Global
No No No No No No
Trang 7 XY DNG CHUN CHNH SCH CHO DOANH NGHIP DATABASE SECURITY
MMT03 - I HC CNG NGH THNG TIN HQG TPHCM --allow-suspicious-udfs: chc nng ny kim sot nhng hm ngi dng nh ngha m ch c mt k t xxx trong phng thc chnh c th c np. Mc nh, ty chn ny c tt. --local-infile[={0|1}]: nu bn chy server vi --local-infile=0, clients khng th s dng lnh LOCAL trong LOAD DATA --old-passwords: ty chn cho server to ra nhng chui bm password ngn cho nhng password mi. N hu dng trong kh nng tng thch vi nhng server c. --safe-user-create: khi chc nng ny c bt, mt user khng th to mt user MYSQL mi bng lnh GRANT, tr khi user c cp c quyn trong bng mysql.user hay bt k ct no ca n. Nu bn mun mt user c quyn to mt user khc, th user phi c cp quyn nh sau: GRANT INSERT(user) ON mysql.user TO 'user_name'@'host_name'; iu ny m bo rng ngi dng khng th thay i bt kz c quyn cho ct no, nhng c th s dng cu GRANT cp quyn cho ngi s dng khc. --secure-auth: tt chc nng xc thc cho nhng user s dng password kiu c. --secure-file-priv=path: ty chn ny s gii hn hiu lc ca hm LOAD_FILE() v lnh LOAD DATA v SELECT ... INTO OUTFILE lm vic vi nhng th mc c ch nh. Ty chn ny c thm vo t phin bn MySQL 5.1.17. --skip-grant-tables: ty chn ny lm cho server khi ng m khng s dng quyn h thng, lm cho bt k ai ng nhp vo server cng khng gii hn quyn truy cp vo database. Bn c th lm cho mt server ang chy np li bng GRANT bng cch dng lnh mysqladmin flush-privileges hay mysqladmin reload t shell system ty chn --skip-grant-tables khng hot ng nu MySQL c cu hnh vi --disable-grantoptions --skip-merge: tt chc nng lu tr trn. Ty chn ny c thm vo t MySQL 5.1.12 v c g b t 5.1.14 --skip-name-resolve: khng s dng hostname. Tt c cc gi tr trong ct Host s c lu dng IP hoc localhost. --skip-networking: Khng cho php kt ni TCP / IP qua mng. Tt c cc kt ni n mysqld phi c thc bng tp tin socket Unix. --skip-show-database: vi ty chn ny, lnh SHOW DATABASES ch c cho php i vi nhng ti khon c quyn SHOW DATABASES, v cu lnh s hin th tn tt c cc database. Nu khng c ty chn ny, lnh SHOW DATABASE s c cho php vi tt c cc user, nhng ch hin tn nhng database m user ny c c quyn. --ssl: ty chn ny cho php cc my client kt ni ti server s dng giao thc SSL, v ch r ni no tm kha v chng th cho SSL. Thng tin chi tit s c m t trong phn 3.
5. Bo mt vi LOAD_DATA_LOCAL
Lnh LOAD_DATA c th load mt tp tin nm trn my server, hoc c th load mt tp tin nm trn my client khi t kha LOCAL xut hin. Trang 8 XY DNG CHUN CHNH SCH CHO DOANH NGHIP DATABASE SECURITY
MMT03 - I HC CNG NGH THNG TIN HQG TPHCM C hai vn chnh vi s h tr ca LOCAL vi lnh LOAD_DATA: S chuyn tp tin t my client ti my server c bt u t my server. V mt l thuyt, chng trnh server s ni vi chng trnh my khch ti tp tin m server la chn ch khng phi l tp tin c tn trong lnh LOAD_DATA. Cng nh server c quyn i vi tt c cc tp tin trn my client m user trn client c quyn c. Trong mi trng Web, khi m client kt ni t mt Web server, mt user c th s dng LOAD_DATA_LOCAL c bt k tp tin no m web server c quyn c ( gi nh rng ngi c th chy bt k lnh no trn my ch MYSQL). Trn mi trng ny, my client i vi Mysql server chnh l Web server, khng phi l ngi dng t xa ang kt ni ti Web server.
i ph vi nhng vn ny, chng ta s thit lp LOAD_DATA_LOCAL nh th no trn MySQL 3.23.49 v MySQL 4.0.2 (4.0.13 trn Windows): Theo mc nh, tt khch hng MySQL v cc th vin trong bn phn phi nh phn c bin dch vi ty chn - enable-local-infile, tng thch vi MySQL 3.23.48 tr v trc. Nu bn bin dch Mysql m khng thm vo configure vi ty chn --enable-local-infile, LOAD DATA LOCAL khng th c s dng bi bt k client no, tr khi n c gi mt cch chnh xc mysql_options(... MYSQL_OPT_LOCAL_INFILE, 0). Bn c th tt lnh LOAD DATA LOCAL t server bng cch s dng mysqld vi ty chn --local-infile=0
6. Hng dn an ninh trong vic lp trnh
Nhng ng dng ng nhp vo MYSQL th khng nn tin tng bt k d liu no c nhp vo bi ngi dng, h c th nh la m ca bn bng cch thm vo nhng k t c bit t Webform, URLs hay t bt k mt ng dng no. Hy chc rng ng dng ca bn c an ton khi ngi dng nhp vo vi th nh: DROP DATABASE mysql;. l mt v d, nhng nhng l hng bo mt ln v mt mt d liu c th xy ra nu mt hacker s dng cng ngh tng t - thng gi l SQL Injection. Mt sai lm ph bin l ch kim tra kiu d liu chui. Hy nh l lun kim tra kiu d liu s. nu mt chng trnh to mt truy vn nh l SELECT * FROM table WHERE ID=234 , thay v ngi dng nhp 234 th h nhp 234 OR 1=1. Kt qu l chng trnh to ra chui truy vn SELECT * FROM table WHERE ID=234 OR 1=1 v server s tr v tt c cc dng trong bng. Cch n gin nht bo v khi kiu tn cng ny l s dng mt du nhy cho hng s nh SELECT * FROM table WHERE ID=234. Nu ngi dng nhp bt k thng tin g, n u c chuyn thnh chui k t. Nu ni dung l s, MYSQL s t ng chuyn tt c chui ny thnh s v ct b ht nhng k t trong . Trang 9 XY DNG CHUN CHNH SCH CHO DOANH NGHIP DATABASE SECURITY
MMT03 - I HC CNG NGH THNG TIN HQG TPHCM Mt vi ngi ngh rng nu mt c s d liu ch cha nhng thng tin cng cng th khng cn phi bo v n. iu l sai lm. Mc d n cho php hin th tt c cc dng, nhng bn vn phi bo v n khi kiu tn cng t chi dch v. Kim tra: Kch hot ch nghim ngt ca SQL bo cho my ch hn ch nhng gi tr d liu c th chp nhn. Th thm du nhy n v nhy kp (' v ) vo tt c cc Web form. Nu c xut hin bt k li SQL no th c vn ri . Th chnh sa li URL bng cch thm vo %22 ("), %23 (#), v %27 ('). Th sa li kiu d liu ca nhng URL ng t s sang nhng k t nh trong v d trn. ng dng ca bn phi c an ton chng li nhng cuc tn cng tng t. Th thm vo nhng k t, khong cch, k t c bit thay cho s vo nhng trng s. ng dng ca bn phi lc ht nhng k t ny ra trc khi gi ti cho server Mysql nu khng s gy ra li. Gi nhng d liu cha c kim tra ti MYSQL l rt nguy him. Kim tra dung lng ca cng trc khi gi ti Mysql. Khng cho ng dng ca bn kt ni ti database m s dng ti khon administrator. Khng cho ng dng bt k quyn no m n khng cn.
Nhiu giao din chng trnh ng dng cung cp mt phng tin thot nhng k t c bit trong gi tr ca d liu. S dng chng ngn cn ngi dng ng dng nhp cc gi tr to ra nhng cu lnh c { ngha khc vi bn quy nh. MySQL C API: s dng API mysql_real_escape_string() lc b cc k t c bit. MySQL++: s dng escape v quote chnh sa li cu lnh SQL. PHP: S mt trong hai phn m rng mysqli hoc pdo_mysql. Perl DBI: s dng placeholders hay phng thc method(). Java JDBC: s dng i tng PreparedStatement v placeholders.
Nhng ngn ng lp trnh khc c th c nhng chc nng tng t.
II.
H thng c quyn truy cp MYSQL
Phng thc chnh ca h thng c quyn MYSQL l xc thc mt ngi dng kt ni ti v cp cho ngi dng nhng c quyn trn mt c s d liu nh l SELECT, INSERT, UPDATE, v DELETE. Cc chc nng chnh l xc nh mt ngi dng bt k v gn nhng c quyn cho nhng phng thc MYSQL c th nh l LOAD_DATA_INFILE v nhng hot ng qun tr. C mt vi iu bn khng th lm c vi h thng c quyn MYSQL: Trang 10
XY DNG CHUN CHNH SCH CHO DOANH NGHIP DATABASE SECURITY
MMT03 - I HC CNG NGH THNG TIN HQG TPHCM Bn khng th xc nh chnh xc mt ngi dng c nn b t chi truy cp. Ngha l bn khng th tnh ton chnh xc cho mt ngi dng v sau t chi kt ni. Bn khng th ch nh quyn cho mt user c th to v xa bng trong mt c s d liu m khng th to v xa trong c s d liu ca chnh mnh. Mt password c p dng cho mt ti khon. Bn khng th kt hp mt mt khu vi mt i tng c th nh c s d liu, bng hay routine.
MYSQL xc nh c tn ngi dng v tn host ca bn khi xc nh bn l ai v khng c l do g gi nh rng tn mt user ch thuc v mt ngi dng trn tt c cc host. V d ngi dng tn joe kt ni t office.example.com cn phi c phn bit vi ngi dng tn joe kt ni t home.example.com. Mysql lm vic ny phn bit cc ngi dng trn cc my khc nhau c th cng tn. Bn c th cp mt tp hp cc c quyn cho ti khon joe t office.example.com v mt tp c quyn khc cho ti khon joe t home.example.com. xem mt ti khon c th c nhng c quyn g, s dng cu lnh SHOW GRANTS. V d: SHOW GRANTS FOR 'joe'@'office.example.com'; SHOW GRANTS FOR 'joe'@'home.example.com'; Mysql iu khin truy cp bng bao gm 2 giai on khi bn chy mt chng trnh client kt ni ti server: Bc 1: server chp nhn hoc t chi kt ni da trn nhn dng ca bn khi bn xc minh bng mt mt khu chnh xc. Bc 2: gi s rng bn kt ni thnh cng, mysql s kim tra tng cu lnh bn s dng xc nh xem bn c quyn lc thi hnh n hay khng.
1. H thng c quyn cung cp bi MYSQL
MYSQL cung cp nhng c quyn c p dng bi nhiu ni dung v nhiu mc ca hnh ng: Quyn administrator c th cho user qun l nhng hot ng trn Mysql Server. Nhng quyn ny quyn ton cc v n khng c trng cho mt c s d liu no c. c quyn database c p cho mt database v tt c cc i tng trong n. Nhng quyn ny c th c p cho mt database c th hay l ton cc ngha l c p cho mi database. Quyn cho nhng i tng nh l cc table, ndexes, views, v stored routines c th c gn cho nhng i tng c th trong database, cho tt c cc i tng cng loi trong database ( v d: tt c cc tables trong database), hay trong cc b vi cc i tng cng loi trong tt c cc databases. Trang 11 XY DNG CHUN CHNH SCH CHO DOANH NGHIP DATABASE SECURITY
MMT03 - I HC CNG NGH THNG TIN HQG TPHCM Thng tin v cc quyn ca ti khon c lu tr trong bng user, db, host, tables_priv, columns_priv, and procs_priv trong c s d liu mysql (xem thm phn Bng c quyn GRANT). Mysql c ni dung ca nhng bng ln b nh khi n bt u v np li trong cc trng hp c nu trong 6. Tc dng khi thay i c quyn. C ch iu khin truy nhp da trn b nh c sao chp t bng GRANT. Bng sau m t tn ca nhng c quyn s dng nhng cp ca SQL trong lnh GRANT v REVOKE, vi nhng tn ct lin quan ti mi quyn trong bng GRANT v ni dung ca mi quyn c p dng: Quyn CREATE DROP GRANT OPTION LOCK TABLES REFERENCES EVENT ALTER DELETE INDEX INSERT SELECT UPDATE CREATE TEMPORARY TABLES TRIGGER CREATE VIEW SHOW VIEW ALTER ROUTINE CREATE ROUTINE EXECUTE FILE CREATE USER PROCESS RELOAD REPLICATION CLIENT REPLICATION SLAVE SHOW DATABASES SHUTDOWN SUPER ALL [PRIVILEGES] USAGE Ct Create_priv Drop_priv Grant_priv Lock_tables_priv References_priv Event_priv Alter_priv Delete_priv Index_priv Insert_priv Select_priv Update_priv Create_tmp_table_priv Trigger_priv Create_view_priv Show_view_priv Alter_routine_priv Create_routine_priv Execute_priv File_priv Create_user_priv Process_priv Reload_priv Repl_client_priv Repl_slave_priv Show_db_priv Shutdown_priv Super_priv Ni dung databases, tables, or indexes databases, tables, or views databases, tables, or stored routines databases databases or tables databases tables tables tables tables or columns tables or columns tables or columns tables tables views views stored routines stored routines stored routines file access on server host server administration server administration server administration server administration server administration server administration server administration server administration server administration server administration
Danh sch sau cung cp mt m t chung ca mi lnh trong MYSQL. Trang 12 XY DNG CHUN CHNH SCH CHO DOANH NGHIP DATABASE SECURITY
MMT03 - I HC CNG NGH THNG TIN HQG TPHCM Quyn ALL hay ALL PRIVILEGES l t vit tt. N ngha l all privileges available at a given privilege level (ngoi tr GRANT OPTION). c quyn ALTER c th s dng cho ALTER TABLE thay i cu trc ca bng. ALTER TABLE yu cu phi c quyn CREATE v INSERT. i tn cho mt bng cn ALTER v DROP trn bng c, ALTER, CREATE v INSERT trn bng mi. Quyn ALTER ROUTINE cho php thay i hay xa mt routine. Quyn CREATE cho php to database v table mi. Quyn CREATE ROUTINE cn cho vic lu tr nhng routine. Quyn CREATE TEMPORARY TABLES cho php to ra nhng bng tm thi bng lnh CREATE TEMPORARY TABLES. Quyn CREATE USER cho php s dng CREATE USER, DROP USER, RENAME USER, and REVOKE ALL PRIVILEGES. Quyn CREATE VIEW cho php s dng CREATE VIEW. Quyn DELETE cho php xa nhng hng trong bng trong database. Quyn DROP cho php bn xa nhng database, table v khung. Quyn EVENT c yu cu to, sa i, xa hay xem cc s kin trong Event Scheduler. Quyn ny c thm vo t phin bn MySQL 5.1.6. Quyn EXECUTE c yu cu thc thi nhng Routine Quyn FILE cho bn c v vit tp tin trn my server s dng lnh LOAD DATA INFILE v SELECT ... INTO OUTFILE v LOAD_FILE(). Quyn GRANT OPTION cho php bn thm cho mt user no hoc g t user nhng quyn m bn s hu.
2. H thng bng c quyn GRANT
Thng thng bn thao tc vi ni dung ca bng GRANT trong c s d liu mysql mt cc gin tip bng cc s dng cc lnh nh GRANT v REVOKE thit lp v iu khin cc quyn c sn cho mi ti khon. Ni dung trong phn ny s gii thiu v cu trc ca bng GRANT. Database mysql cha ng nhng thng tin sau: user: Cha ng nhng ti khon, quyn cc b v nhng ct khng phn quyn. db: ch ng nhng quyn database theo cp tables_priv: cha nhng quyn table theo cp columns_priv: cha nhng quyn column theo cp procs_priv: cha nhng quyn ca th tc v phng thc.
Trang 13 XY DNG CHUN CHNH SCH CHO DOANH NGHIP DATABASE SECURITY
MMT03 - I HC CNG NGH THNG TIN HQG TPHCM
III.
Qun l ti khon trong MYSQL
Chng ny gii thiu lm th no to mt ti khon cho client ca mysql server. Gm cc ch sau: ngha ca username v password c s dng trong Mysql v phn bit n vi user ca h iu hnh. Lm th no to mt ti khon Thay i password Gii thiu cc s dng password an ton. S dng kt ni an ton vi SSL
1. User name v password:
MySQL lu tr cc ti khon trong bng user ca c s d liu mysql. Mt ti khon c xc nh da trn username v client host hoc host m t ngi dng kt ni n server. Mt ti khon ch c th c mt mt khu. C mt vi phn bit gia cch username v password c s dng bi MYSQL v cch chng c s dng bi h iu hnh: User c s dng trong MySQL cho mc ch xc thc, khng lin quan g ti user trn Unix hay trn Windows. Trn Unix hu ht cc client MySQL ng nhp vo bng cch s dng tn ngi dng hin hnh Unix cng l tn ngi s dng MySQL, iu ch cho tin. Mc nh c th c ghi mt cch d dng, bi v cc chng trnh khch hng cho php bt kz tn ngi dng c xc nh vi mt U hoc USER ty chn. Bt c ai kt ni server s dng bt kz username no, bn khng th lm cho database an ton tr khi tt c cc user u c password. Bt c ai dng mt ti khon khng c password u c th kt ni ti server thnh cng. Tn ngi s dng MySQL c th ln n 16 k t. Tn ngi s dng trong h thng, n khng lin quan n tn ngi dng MySQL, c th c chiu di ti da khc nhau. V d, tn ngi s dng Unix thng gii hn 8 k t.
2. Thm mi mt ti khon:
Bn c th to mt ti khon cho MYSQL bng 2 cch: S dng cu lnh to ti khon nh l CREATE USER hay GRANT. Nhng cu lnh ny khi server thc thi s t ng chnh sa li bng GRANT. Thao tc trc tip vi bng GRANT bng cch s dng lnh INSERT, UPDATE, hay DELETE.
Sau khi ng nhp vo h thng vi quyn root, bn c th to user mi. S dng cu lnh GRANT nh sau to ra bn ti khon mi: mysql> CREATE USER 'monty'@'localhost' IDENTIFIED BY 'some_pass'; Trang 14 XY DNG CHUN CHNH SCH CHO DOANH NGHIP DATABASE SECURITY
MMT03 - I HC CNG NGH THNG TIN HQG TPHCM mysql> GRANT ALL PRIVILEGES ON *.* TO 'monty'@'localhost' -> WITH GRANT OPTION;
mysql> CREATE USER 'monty'@'%' IDENTIFIED BY 'some_pass'; mysql> GRANT ALL PRIVILEGES ON *.* TO 'monty'@'%' -> WITH GRANT OPTION;
mysql> CREATE USER 'admin'@'localhost'; mysql> GRANT RELOAD,PROCESS ON *.* TO 'admin'@'localhost'; mysql> CREATE USER 'dummy'@'localhost'; Hai trong s cc ti khon c tn ngi dng l monty v mt khu ca some_pass . C hai ti khon l superuser ti khon vi quyn y lm bt c iu g . Ti khon ca monty'@'localhost' c th ch c s dng khi kt ni t cc localhost . monty ' @' % ti khon s dng '%' k t i din cho mt host, n c th c s dng kt ni t bt kz host no.
IV.
Gii thiu chng trnh Acunetix Web Vulnerability Scanner 8
Acunetix WVS (Web Vulnerability Scanner) l chng trnh t ng kim tra cc ng dng Web tm kim cc l hng bo mt nh SQL Injection, hay Cross-Site Scripting, v tm kim nhng chnh sch i vi mt khu ng nhp cng nh cc phng thc xc thc vo Web Site. Nh thng thy, cc li bo mt Vit Nam tp trung vo nhng l hng nguy him m bt c cng c Scan cao cp no cng c th qut thy. Nhng hu ht cc admin dng nh qun mt, hoc khng bit n nhng l hng vn d rt d pht hin ny.
Hin nay, trn th gii c nhng cng c qut li bo mt kh ni ting nh l: Shadow Security Scanner, Retina Network Security Scanner, Metasploit cao cp hn v phi c hiu bit nht nh l Nmap, Netcat Trong phn ny nhm xin gii thiu n cc bn phn mm Acunetix WVS dng qut cc li bo mt h thng ca mnh. Giao din chnh ca chng trnh:
Trang 15 XY DNG CHUN CHNH SCH CHO DOANH NGHIP DATABASE SECURITY
MMT03 - I HC CNG NGH THNG TIN HQG TPHCM
Ca s bn tri cung cp cho ta mt dy cc cng c: Web Scanner, Site Crawer, Target Finder, Subdomain Scanner , ch cn nhp chut vo cng c no AWV thc hin nhim v ca mnh. u im ca Tool ny l tng tc trc quan m khng phi nh tng dng lnh nh Nmap hoc Netcat Acunetix WVS l mt cng c qut li cho ng dng Web da trn mt c s d liu rng ln c cp nht thng xuyn, vi cc thut ton heuristic p ng c cc c ch hat ng phc tp ca mi trng Web. Acunetix WVS c th t ng kim tra cc l hng thng dng nh cross site scripting, sql injection v cc mi nhy cm khc ca nhng web site c th truy cp bng trnh duyt, hay nhng ng dng c xy dng trn cc k thut tin tin nh AJAX.. thc hin c iu ny Acunetix WVS da trn nhiu phng php v cng c tch hp nh:
Trang 16 XY DNG CHUN CHNH SCH CHO DOANH NGHIP DATABASE SECURITY
MMT03 - I HC CNG NGH THNG TIN HQG TPHCM Crawling (ly v) ton b website gm tt c cc lin kt trn site v c trong tp tin robots.txt sau hin th tan b cu trc ny mt cch chi tit.
Sau tin trnh cwarling v khm ph tnh trng ca ng dng web, Acunetix WVS t ng pht ng cc t tn cng c lp trnh sn da trn cc l hng, ging nh khi web site b 1 hacker tn cng thc s, phn tch cc trang v nhng v tr c th nhp liu cng vi cc s kt hp khc nhau ca d liu u vo c th lm cho website hin th nhng thng tin nhy cm.
Trang 17 XY DNG CHUN CHNH SCH CHO DOANH NGHIP DATABASE SECURITY
MMT03 - I HC CNG NGH THNG TIN HQG TPHCM Sau khi tm ra c cc l hng, Acunetix WVS thng bo trn cc Alerts Node, mi alert gm cc thng tin v li cng nh cc mi nguy him c th gp phi
Bn c th nhp vo mi alert xem thm thng tin chi tit v loi li , cng nh nhng khuyn co v cch khc phc
Sau khi tin trnh kim tra han tt, chng ta c th lu li thnh mt tp tin phn tch sau ny, vi cng c bo co chuyn nghip s gip cho cc web master d dng tng hp cc kt qu kim tra khc nhau trn ng dng Web ca mnh. Sau khi qut, Acunetix WVS s lit k cu trc ca site, phin bn webserver ang s dng, URL khng tn ti, cc li pht hin c cng nh mc Security ca site ang qut, nhn hnh
Trang 18 XY DNG CHUN CHNH SCH CHO DOANH NGHIP DATABASE SECURITY
MMT03 - I HC CNG NGH THNG TIN HQG TPHCM cc bn s thy nhng lit k rt c th.
Mc bo mt ca website c AWV nh gi t low, medium, high. Nu website ca bn c lit k mc low, hy nhanh chng fix li m AWV lit k. Danh sch cc l hng bo mt c kim tra bi Acunetix WVS: - Code Execution - Directory Traversal - File Inclusion - Script Source Code Disclosure - CRLF Injection - Cross Frame Scripting (XFS) - PHP Code Injection - XPath Injection - Full Path Disclosure - LDAP Injection - Cookie Manipulation - MultiRequest Parameter Manipulation - Blind SQL/XPath Injection - File Checks - Checks Backup Files hay Directories Tm kim cc tp tin thng dng (nh l logs, application traces, CVS web repositories) Trang 19 XY DNG CHUN CHNH SCH CHO DOANH NGHIP DATABASE SECURITY
MMT03 - I HC CNG NGH THNG TIN HQG TPHCM - Cross Site Scripting trong URL - Checks Script Errors - Directory Checks - Tm kim cc tp tin quan trng nh logs, traces, CVS. - Discover Sensitive Files/Directories - Kim tra cc quyn gn cho th mc khng hp l Weak Permissions - Cross Site Scripting trong Path and PHPSESSID Session Fixation. - Web Applications - Text Search - Directory Listings - Source Code Disclosure - Kim tra Common Files - Kim tra Email Addresses - Microsoft Office Possible Sensitive Information - Local Path Disclosure - Error Messages - GHDB Google Hacking Database - Over 1200 GHDB Search Entries in the Database -
Trang 20 XY DNG CHUN CHNH SCH CHO DOANH NGHIP DATABASE SECURITY
You might also like
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeFrom EverandThe Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeRating: 4 out of 5 stars4/5 (5819)
- The 7 Habits of Highly Effective PeopleFrom EverandThe 7 Habits of Highly Effective PeopleRating: 4 out of 5 stars4/5 (353)
- The 7 Habits of Highly Effective People Personal WorkbookFrom EverandThe 7 Habits of Highly Effective People Personal WorkbookRating: 4 out of 5 stars4/5 (2515)
- The Iliad: The Fitzgerald TranslationFrom EverandThe Iliad: The Fitzgerald TranslationRating: 4 out of 5 stars4/5 (5646)
- The Odyssey: (The Stephen Mitchell Translation)From EverandThe Odyssey: (The Stephen Mitchell Translation)Rating: 4 out of 5 stars4/5 (7770)
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeFrom EverandThe Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeRating: 4.5 out of 5 stars4.5/5 (20112)
- How to Win Friends and Influence People: Updated For the Next Generation of LeadersFrom EverandHow to Win Friends and Influence People: Updated For the Next Generation of LeadersRating: 4 out of 5 stars4/5 (2340)
- Pride and Prejudice: Bestsellers and famous BooksFrom EverandPride and Prejudice: Bestsellers and famous BooksRating: 4.5 out of 5 stars4.5/5 (20479)
- Never Split the Difference: Negotiating As If Your Life Depended On ItFrom EverandNever Split the Difference: Negotiating As If Your Life Depended On ItRating: 4.5 out of 5 stars4.5/5 (3313)
- Wuthering Heights Complete Text with ExtrasFrom EverandWuthering Heights Complete Text with ExtrasRating: 4 out of 5 stars4/5 (9991)
- The Picture of Dorian Gray (The Original 1890 Uncensored Edition + The Expanded and Revised 1891 Edition)From EverandThe Picture of Dorian Gray (The Original 1890 Uncensored Edition + The Expanded and Revised 1891 Edition)Rating: 4 out of 5 stars4/5 (9054)
- Art of War: The Definitive Interpretation of Sun Tzu's Classic Book of StrategyFrom EverandArt of War: The Definitive Interpretation of Sun Tzu's Classic Book of StrategyRating: 4 out of 5 stars4/5 (3321)
- Anna Karenina: Bestsellers and famous BooksFrom EverandAnna Karenina: Bestsellers and famous BooksRating: 4 out of 5 stars4/5 (7503)
- Wuthering Heights (Seasons Edition -- Winter)From EverandWuthering Heights (Seasons Edition -- Winter)Rating: 4 out of 5 stars4/5 (9975)
- Habit 3 Put First Things First: The Habit of Integrity and ExecutionFrom EverandHabit 3 Put First Things First: The Habit of Integrity and ExecutionRating: 4 out of 5 stars4/5 (2508)
- Habit 1 Be Proactive: The Habit of ChoiceFrom EverandHabit 1 Be Proactive: The Habit of ChoiceRating: 4 out of 5 stars4/5 (2559)
- American Gods: The Tenth Anniversary EditionFrom EverandAmerican Gods: The Tenth Anniversary EditionRating: 4 out of 5 stars4/5 (12957)
- How To Win Friends And Influence PeopleFrom EverandHow To Win Friends And Influence PeopleRating: 4.5 out of 5 stars4.5/5 (6703)
- The Iliad: A New Translation by Caroline AlexanderFrom EverandThe Iliad: A New Translation by Caroline AlexanderRating: 4 out of 5 stars4/5 (5734)
- The 7 Habits of Highly Effective PeopleFrom EverandThe 7 Habits of Highly Effective PeopleRating: 4 out of 5 stars4/5 (2572)
- Habit 6 Synergize: The Habit of Creative CooperationFrom EverandHabit 6 Synergize: The Habit of Creative CooperationRating: 4 out of 5 stars4/5 (2499)
- The Picture of Dorian Gray: Classic Tales EditionFrom EverandThe Picture of Dorian Gray: Classic Tales EditionRating: 4 out of 5 stars4/5 (9765)
