Professional Documents
Culture Documents
Features
Ronald Bradford, Colin Charles
Percona Live Europe
Dublin 2017
$ wget https://bit.ly/dockerhelper
$ source dockerhelper
$ docker_mysql | docker_percona | docker_mariadb
● You can also naturally just have a MySQL instance on your computer or cloud
$ echo -n "test123" | sha1sum | cut -c1-40 | xxd -p -r | sha1sum | cut -c1-40 | tr '[a-z]'
'[A-Z]'
676243218923905CF94CB52A3C9D3EB30CE8E20D
$ strings user.MYD
localhost
root*676243218923905CF94CB52A3C9D3EB30CE8E20D
...
https://en.wikipedia.org/wiki/Secure_Hash_Algorithms
plugin
unspecified
plugin specified
https://dev.mysql.com/doc/refman/5.7/en/validate-password-options-variables.html#sysvar_validate_password_policy
https://dev.mysql.com/doc/refman/5.7/en/encryption-functions.html#function_validate-password-strength
https://dev.mysql.com/doc/refman/5.7/en/validate-password-options-variables.html
https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_old_passwords
https://dev.mysql.com/doc/refman/5.7/en/password-hashing.html
Be Destructive
https://dev.mysql.com/doc/refman/5.6/en/mysql-logging.html
$ (mysql -uinsecure -pTest.123 -e "SELECT SLEEP(3)" > /dev/null &); ps -ef | grep mysql
vagrant 2923 1 0 00:08 pts/0 00:00:00 mysql -uinsecure -px xxxxxxxxx -e SELECT SLEEP(3)
$ mysql -uroot -p
root@localhost [(none)]> CREATE USER demo IDENTIFIED BY 'passw0rd1';
$ mysql -udemo -p #passw0rd1
$ mysql -uroot
root@localhost [(none)]> ALTER USER demo PASSWORD EXPIRE;
https://dev.mysql.com/doc/refman/5.7/en/alter-user.html
$ tail -2 /var/log/mysqld.log
2017-09-06T00:39:24.908224Z 16 [Note] Access denied for user 'demo'@'localhost' (using
password: NO)
2017-09-06T00:39:37.423691Z 17 [Note] Access denied for user 'demo'@'localhost' (using
password: YES)
$ mysql -udemo -p
...
$ mysql -uroot -p
percona56 >SELECT user,total_connections,denied_connections,total_ssl_connections FROM
information_schema.user_statistics;
+------+-------------------+--------------------+-----------------------+
| user | total_connections | denied_connections | total_ssl_connections |
+------+-------------------+--------------------+-----------------------+
| demo | 1 | 0 | 0 |
| root | 3 | 0 | 0 |
+------+-------------------+--------------------+-----------------------+
2 rows in set (0.00 sec)
http://ronaldbradford.com/blog/why-grant-all-is-bad-2010-08-06/
http://effectivemysql.com/presentation/mysql-idiosyncrasies-that-bite/
$ more /etc/my.cnf
…
[mysqld]
skip-grant-tables
https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_sk
ip-grant-tables
$ more /etc/my.cnf
…
[mysqld]
init-file=/tmp/password.sql
$ cat /tmp/password.sql
GRANT ALL PRIVILEGES ON *.* TO root@localhost IDENTIFIED BY '<clear-text-password>'' WITH
GRANT OPTION;
$ mysql -uroot -p
See also: http://code.openark.org/blog/mysql/dangers-of-skip-grant-tables
$ scripts/mysql_install_db --defaults-file=/tmp/my.cnf
$ ls -l /tmp/mysql/user.*
-rw-rw---- 1 320 Feb 13 11:27 /tmp/mysql/user.MYD
-rw-rw---- 1 2048 Feb 13 11:27 /tmp/mysql/user.MYI
-rw-rw---- 1 10630 Feb 13 11:27 /tmp/mysql/user.frm
https://dev.mysql.com/doc/refman/5.6/en/secure-connections.html
https://dev.mysql.com/doc/refman/5.7/en/secure-connections.html
#
T 192.168.42.1:47634 -> 192.168.42.16:3306 [AP] select 'unencrypted'
#
T 192.168.42.16:3306 -> 192.168.42.1:47634 [AP] ! def unencrypted ! !
unencrypted
https://wiki.christophchamp.com/index.php?title=Ngrep
http://infoheap.com/ngrep-quick-start-guide/
config = {
'user': 'ssluser',
'password': 'asecret',
'host': '127.0.0.1',
'client_flags': [ClientFlag.SSL],
'ssl_ca': '/opt/mysql/ssl/ca.pem',
'ssl_cert': '/opt/mysql/ssl/client-cert.pem',
'ssl_key': '/opt/mysql/ssl/client-key.pem',
}
https://dev.mysql.com/doc/connectors/en/connector-net-tutorials-ssl.html
mysql \
-h myinstance.123456789012.us-east-1.rds.amazonaws.com \
--ssl-ca=rds-ca-2015-root.pem \
--ssl-verify-server-cert
https://www.percona.com/doc/percona-pam-for-mysql/index.html
https://dev.mysql.com/doc/refman/5.5/en/pam-pluggable-authentication.html
https://mariadb.com/kb/en/the-mariadb-library/authentication-plugin-pam/
# DO NOT DO THIS
sudo groupadd shadow
sudo usermod -G shadow mysql
grep shadow /etc/group
sudo chgrp shadow /etc/shadow
sudo chmod 440 /etc/shadow
sudo systemctl restart mysqld.service
$ mysql -uexternal
Password:
ERROR 1045 (28000): Access denied for user 'external'@'localhost' (using password: YES)
mysql > SELECT /* Use 5.6 */ host, user, password, plugin, authentication_string, password_expired FROM mysql.user WHERE
user='external'\G
*************************** 1. row ***************************
host: localhost
user: external
password:
plugin: auth_pam
authentication_string:
password_expired: N
1 row in set (0.00 sec)
https://mariadb.com/kb/en/the-mariadb-library/password-authentication-and-encryption-plugins/
maria101 > CREATE USER demo@localhost IDENTIFIED VIA ed25519 USING 'CobnFnV6aei4yy55u90XPFUeBRMBSPtZazzJq8kLHNE';
$ whoami
vagrant
$ mysql -unotvagrant
ERROR 1698 (28000): Access denied for user 'notvagrant'@'localhost'
OS
● Installation
● Configuration
● Log format
plugin-load=AUDIT=libaudit_plugin.so
audit_offsets=6992, 7040, 4000, 4520, 72, 2704, 96, 0, 32, 104, 136, 7128, 4392, 2800, 2808,
2812, 536, 0, 0, 6360, 6384, 6368, 13048, 548, 516
https://dev.mysql.com/doc/refman/5.5/en/audit-log.html
https://www.percona.com/doc/percona-server/5.5/management/audit_log_plugin.html
https://www.percona.com/blog/2014/05/16/introduction-to-the-percona-mysql-audit-log-plugin/
https://mariadb.com/kb/en/mariadb/about-the-mariadb-audit-plugin/
https://dev.mysql.com/doc/refman/5.5/en/audit-log-file.html
{"audit_record":{"name":"Ping","record":"3417_2017-09-25T13:37:27","timestamp":"2017-09-25T13:37:
29 UTC","command_class":"error","connection_id":"1","status":0,"sqltext":"","user":"root[root] @
localhost []","host":"localhost","os_user":"","ip":"","db":""}}
{"audit_record":{"name":"Quit","record":"3418_2017-09-25T13:37:27","timestamp":"2017-09-25T13:37:
29
UTC","connection_id":"1","status":0,"user":"root","priv_user":"root","os_login":"","proxy_user":"
","host":"localhost","ip":"","db":""}}
"Connect","4915_2017-09-25T13:39:34","2017-09-25T13:39:38
UTC","1",0,"root","root","","","localhost","",""
"Ping","4916_2017-09-25T13:39:34","2017-09-25T13:39:38 UTC","error","1",0,"","root[root] @
localhost []","localhost","","",""
https://mariadb.com/kb/en/library/mariadb-audit-plugin-log-format/
● Key management
https://www.percona.com/blog/2017/06/06/mysql-encryption-at-rest-part-1-luks/
https://mariadb.com/kb/en/mariadb/roles_overview/
https://dev.mysql.com/doc/refman/8.0/en/roles.html
● https://mariadb.com/resources/blog/maxscale-firewall-filter
● https://www.mysql.com/products/enterprise/firewall.html
● https://www.datasunrise.com/firewall/percona/
#PerconaLive @RonaldBradford @bytebot
MariaDB MaxScale
● Pre-2.0, GPLv2; post-2.0 BSL license (also, performance improvements;
SQLite parser)
● The database firewall filter is used to block queries that match a set of rules. It
can be used to prevent harmful queries from reaching the backend database
instances or to limit access to the database based on a more flexible set of
rules compared to the traditional GRANT-based privilege system. Currently
the filter does not support multi-statements.
● Needs configuration via whitelist/blacklist
● Data masking - possible to obfuscate the returned value of a particular
column (e.g. don’t allow SSN numbers to go back)
https://medium.com/airbnb-engineering/unlocking-horizontal-scalability-in-our-web
-serving-tier-d907449cdbcf
● MFA
http://effectivemysql.com/downloads/MySQLSecurityEssentialsPerconaLive2015.pdf
● OS
● Database
● Application Stack
http://dev.mysql.com/doc/refman/5.6/en/security.html
http://dev.mysql.com/doc/refman/5.7/en/security.html
12
1
SAVE THE DATE! April 23-25, 2018
Santa Clara Convention Center
12
CALL FOR PAPERS OPENING SOON!
2 www.perconalive.com
Rate us! Thanks/Q&A