[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lug-l] Interesting MySQL News Article, Examples



Found a news article that I think some of you will find pretty interesting if you haven't seen it already:
http://arstechnica.com/information-technology/2012/06/security-flaw-in-mysql-mariadb-allows-access-with-any-password-just-keep-submitting-it/

Basically there's a bug in mysql (including the versions that ship with Ubuntu server from 10.04 to 12.04, Debian 5, some other popular distros) that if you keep brute-forcing a password to a valid mysql account (such as root), you have a 1/256 chance of getting in even if the password is invalid.  That may seem high to some, but think of multiple computers trying to break into one account.  With a couple of computers running in parallel, someone could be into a database in no time. There's good reason to restrict access to your phpmyadmin pages!

Regardless of whether it's patched on your server or not, you should always take care to protect your databases (and any other Internet facing applications, for that matter.)

For example on my server, edit /etc/apache2/conf.d/phpmyadmin.conf, added the following underneath the <Directory /usr/share/phpmyadmin> section:
        Order Deny,Allow
        Deny from All
        Allow from 127.0.0.1 141.219.0.0/16 50.4.168.45

That allows locahost, all of MTU's IP addresses, and my home IP to access phpmyadmin, gives 403 error to anyone else.

This article is older, but gives you an idea of how you can also use Fail2Ban to block brute force attempts against phpmyadmin:
http://www.foosel.org/blog/2008/04/banning_phpmyadmin_bots_using_fail2ban


It's also good practice to force SSL for any sensitive access including phpmyadmin.  While it doesn't necessarily prevent brute force attacks, it will keep your administrative accounts a little more secure from prying eyes on the network.  Assuming you have SSL setup on your server (https://help.ubuntu.com/community/forum/server/apache2/SSL):

I also have a line in my /etc/phpmyadmin/config.inc.php
       $cfg['ForceSSL'] = TRUE;

That forces phpmyadmin to run over SSL, just be sure you're accessing it on a vhost that has SSL enabled!  You can also force it with some simple apache config lines as well. For example in /etc/apache2/sites-available/default (or under your different vhosts) you could have something like
       Redirect permanent /phpmyadmin https://mydomainname.com/phpmyadmin

You can also use mod_rewrite to do this, personally I think the config.inc.php edit is the easiest.

Also you'll want to make sure your mysql ports (3306 by default) aren't open to the Internet.  By default it's only open to localhost on most distros. You can open up /etc/mysql/my.cnf and see the line
      bind-address            = 127.0.0.1

You can also open it up to your lan from that config and then use iptables to restrict access to only users/servers that need access (though I'd say most of the time localhost is all you need.)

There are many more ways to secure phpmyadmin and mysql, these are just a few methods that seem to work well enough for most setups. Some choose to rename the phpmyadmin alias to something unique to help prevent automated scanners from finding the URL and adding it to their queue. This will sort of work, but security by obscurity is not good practice.  Check to make sure all of your servers are secured, and that your applications are up to date. You may think nobody's trying to break into your private server, but they are

---
Josh Knight
Undergraduate, Michigan Technological University
Major, Computer Network & Systems Administration
Minor, Electrical Engineering
President, Epsilon Pi Tau - Michigan Tech Chapter
VP of IT Operations, ITOxygen Enterprise
Treasurer, Linux/UNIX Users Group