securing your mysql mariadb server data
play

Securing your MySQL/MariaDB Server Data Colin Charles, Ronald - PowerPoint PPT Presentation

Jun 08, 2023 •113 likes •643 views

Securing your MySQL/MariaDB Server Data Colin Charles, Ronald Bradford, Hank Eskin Percona Live Santa Clara 2017 #PerconaLive @bytebot @RonaldBradford @HankEskin About: Colin Charles Chief Evangelist (in the CTO office), Percona Inc

  1. Securing your MySQL/MariaDB Server Data Colin Charles, Ronald Bradford, Hank Eskin Percona Live Santa Clara 2017 #PerconaLive @bytebot @RonaldBradford @HankEskin

  2. About: Colin Charles ● Chief Evangelist (in the CTO office), Percona Inc ● Founding team of MariaDB Server (2009-2016), previously at Monty Program Ab, merged with SkySQL Ab, now MariaDB Corporation ● Formerly MySQL AB (exit: Sun Microsystems) ● Past lives include Fedora Project (FESCO), OpenOffice.org ● MySQL Community Contributor of the Year Award winner 2014 ● http://bytebot.net/blog/ #PerconaLive @bytebot @RonaldBradford @HankEskin

  3. About: Ronald Bradford ● MySQL Database Consultant at Pythian ● Author/Blogger/Speaker ● Oracle ACE Director 2010 - present ● MySQL Community Member of the Year Award winner 09, 13 ● Formally MySQL Inc 06-08, Oracle Corporation 96-99 ● http://ronaldbradford.com/presentations/ ● http://effectivemysql.com #PerconaLive @bytebot @RonaldBradford @HankEskin

  4. About: Hank Eskin ● Founded and run WheresGeorge.com since 1998 ● Running LAMP since 1998 (“old school”) ● Launched Tesla CPO Consolidator EV-CPO.com in 2015 ● Attended the first MySQL Users Conference in 2003. ● Previous life as a Data Warehouse Architect and Business Intelligence consultant #PerconaLive @bytebot @RonaldBradford @HankEskin

  5. Agenda ● Observed insecure practices ● Securing communications ● Securing connections ● Securing data ● Securing user accounts ● Securing server access #PerconaLive @bytebot @RonaldBradford @HankEskin

  6. Signs of Poor Security ● old_passwords ● 'root' MySQL user without password ● Users without passwords ● 'root' MySQL user ● Anonymous users ● Generic OS DBA user e.g. 'dba' ● WITH GRANT privilege users ● Disabled OS security e.g. ● ALL ON *.* privileged users Firewall/SELinux/Apparmor ● '%' host user accounts ● Open data directory privileges ● Not using CREATE USER ● Default test database #PerconaLive @bytebot @RonaldBradford @HankEskin

  7. Easy Fixes $ mysql_secure_installation 5.7 Functionality VALIDATE PASSWORD PLUGIN can be used to test passwords and improve security. It checks the strength of password and allows the users to set only those passwords which are secure enough. Would you like to setup VALIDATE PASSWORD plugin? There are three levels of password validation policy: LOW Length >= 8 MEDIUM Length >= 8, numeric, mixed case, and special characters STRONG Length >= 8, numeric, mixed case, special characters and dictionary file Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: ... Estimated strength of the password: 25 Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) #PerconaLive @bytebot @RonaldBradford @HankEskin

  8. Very easy to Current Insecure Practices improve poor practices ● Using password on command line ○ Command history ○ MySQL shell history ● Using simple passwords ○ It's just a test environment ● Using excessive permissions ○ GRANT, ALL, *.*, % #PerconaLive @bytebot @RonaldBradford @HankEskin

  9. Command Line options (non-interactive) read MYSQL_USER read -s MYSQL_PWD mysql -u${MYSQL_USER} -p${MYSQL_PWD} ps rewrite ps -ef | grep mysql .... mysql -udemo -px xxxxxxx mysql # using $HOME/.my.cnf mysql --defaults-file=/path/to/.my.cnf ● What about gh-ost, pt-osc, other pt- tools etc https://dev.mysql.com/doc/refman/5.6/en/mysql-logging.html #PerconaLive @bytebot @RonaldBradford @HankEskin

  10. Config Editor $ mysql_secure_installation $ mysql -uroot -p -e "CREATE USER demo@localhost IDENTIFIED BY 'passw0rd1';" $ echo "[client] user=demo password=passw0rd1" > $HOME/.my.cnf Since 5.6 $ mysql -e "SELECT USER()" $ rm $HOME/.my.cnf $ mysql -e "SELECT USER()" $ mysql_config_editor set --login-path=client --host=localhost --user=demo --password $ ls -al $HOME/.mylogin.cnf $ cat $HOME/.mylogin.cnf $ mysql_config_editor print $ mysql -e "SELECT USER()" $ mysqldump .... #PerconaLive @bytebot @RonaldBradford @HankEskin

  11. Why being SUPER is bad (GRANT ALL ON *.*) ● Bypasses read_only (why we need super_read_only) ● Bypasses init_connect ● Can disable binary logging ● Can change dynamic configuration ● Takes the reserved connection http://ronaldbradford.com/blog/why-grant-all-is-bad-2010-08-06/ http://effectivemysql.com/presentation/mysql-idiosyncrasies-that-bite/ #PerconaLive @bytebot @RonaldBradford @HankEskin

  12. Secure Communications ● SSL for replication ● SSL for client connections ● SSL for admin connections ● Encryption on the wire https://dev.mysql.com/doc/refman/5.6/en/secure-connections.html https://dev.mysql.com/doc/refman/5.7/en/secure-connections.html #PerconaLive @bytebot @RonaldBradford @HankEskin

  13. Secure Communications [mysqld] ssl-ca=ca.pem ssl-cert=server-cert.pem ssl-key=server-key.pem #PerconaLive @bytebot @RonaldBradford @HankEskin

  14. SSL Protocols and Ciphers mysql> SHOW SESSION STATUS LIKE 'Ssl_version'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | Ssl_version | TLSv1 | +---------------+-------+ mysql> SHOW SESSION STATUS LIKE 'Ssl_cipher'; +---------------+---------------------------+ | Variable_name | Value | +---------------+---------------------------+ | Ssl_cipher | DHE-RSA-AES128-GCM-SHA256 | +---------------+---------------------------+ #PerconaLive @bytebot @RonaldBradford @HankEskin

  15. SSL Client Connections https://dev.mysql.com/doc/connector-python/en/connector-python-connectargs.html import mysql.connector from mysql.connector.constants import ClientFlag config = { 'user': 'ssluser', 'password': 'asecret', 'host': '127.0.0.1', 'client_flags': [ClientFlag.SSL], 'ssl_ca': '/opt/mysql/ssl/ca.pem', 'ssl_cert': '/opt/mysql/ssl/client-cert.pem', 'ssl_key': '/opt/mysql/ssl/client-key.pem', } https://dev.mysql.com/doc/connectors/en/connector-net-tutorials-ssl.html #PerconaLive @bytebot @RonaldBradford @HankEskin

  16. Secure Connections ● mysql_ssl_rsa_setup in MySQL 5.7 ○ This program creates the SSL certificate and key files and RSA key-pair files required to support secure connections using SSL and secure password exchange using RSA over unencrypted connections, if those files are missing. ● uses the openssl command #PerconaLive @bytebot @RonaldBradford @HankEskin

  17. Secure Storage ● Encryption of data at rest ○ Data (table vs tablespace) ○ Binary Logs ○ Other Logs ● Key management #PerconaLive @bytebot @RonaldBradford @HankEskin

  18. Encryption in MariaDB Server ● Encryption: tablespace OR table level encryption with support for rolling keys using the AES algorithm ○ table encryption — PAGE_ENCRYPTION=1 ○ tablespace encryption — encrypts everything including log files ● file_key_management_filename, file_key_management_filekey, file_key_management_encryption_algorithm ● Well documented — https://mariadb.com/kb/en/mariadb/data-at-rest-encryption/ ● Tablespace/logs scrubbing: background process that regularly scans through the tables and upgrades the encryption keys ● --encrypt-tmp-files & --encrypt-binlog #PerconaLive @bytebot @RonaldBradford @HankEskin

  19. Encryption in MariaDB Server II [mysqld] CREATE TABLE customer ( plugin-load-add=file_key_management.so customer_id bigint not null primary file-key-management key, file-key-management-filename = customer_name varchar(80), /home/mdb/keys.enc customer_creditcard varchar(20)) innodb-encrypt-tables ENGINE=InnoDB innodb-encrypt-log page_encryption=1 innodb-encryption-threads=4 page_encryption_key=1; aria-encrypt-tables=1 # PAGE row format encrypt-tmp-disk-tables=1 # this is for Aria #PerconaLive @bytebot @RonaldBradford @HankEskin

  20. Encryption in MariaDB Server III ● Use the preset! - /etc/my.cnf.d/enable_encryption.preset ● MariaDB Enterprise has a plugin for Amazon Key Management Server (KMS) ○ The reality is you can just compile this for MariaDB Server ● mysqlbinlog has no way to read (i.e. decrypt) an encrypted binlog ● This does not work with MariaDB Galera Cluster yet (gcache is not encrypted yet), and also xtrabackup needs additional work (i.e. if you encrypt the redo log) #PerconaLive @bytebot @RonaldBradford @HankEskin

  21. Encryption in MySQL ● MySQL 5.7.11 introduces InnoDB tablespace encryption ● early-plugin-load=keyring_file.so in my.cnf ● Must use innodb_file_per_table ● Convert via ALTER TABLE table ENCRYPTION=‘Y’ ● Data is not encrypted in the redo/undo/binary logs ● Has external key management (Oracle Key Vault) #PerconaLive @bytebot @RonaldBradford @HankEskin

  22. Secure Accounts ● Privileges ● Passwords ● Password filesystem storage #PerconaLive @bytebot @RonaldBradford @HankEskin

  23. MySQL 5.6 improvements ● Password expiry - ALTER USER 'foo'@'localhost' PASSWORD EXPIRE; ● Password validation plugin - VALIDATE_PASSWORD_STRENGTH() ● mysql_config_editor - store authentication credentials in an encrypted login path file named .mylogin.cnf ○ http://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html ● Random ‘root’ password on install ○ mysql_install_db —random-passwords ○ cat $HOME/.mysql_secret #PerconaLive @bytebot @RonaldBradford @HankEskin

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ALTER TABLE IMPROVEMENTS IN MARIA DB SERVER Marko Mkel Lead Developer InnoDB MariaDB

ALTER TABLE IMPROVEMENTS IN MARIA DB SERVER Marko Mkel Lead Developer InnoDB MariaDB

ALTER TABLE IMPROVEMENTS IN MARIA DB SERVER Marko Mkel Lead Developer InnoDB MariaDB Corporation Generic ALTER TABLE in MySQL & MariaDB CREATE ; INSERT SELECT ; RENAME ; DROP Starting with MySQL 5.6 & MariaDB 10.0,

1.51k views • 25 slides
MariaDB State of MariaDB Michael Monty Widenius MariaDB hacker monty@askmonty.org

MariaDB State of MariaDB Michael Monty Widenius MariaDB hacker monty@askmonty.org

MariaDB State of MariaDB Michael Monty Widenius MariaDB hacker monty@askmonty.org http://mariadb.com/ Notice: MySQL is a registered trademark of Sun Microsystems, Inc. The origin of My (SQL) At start: Lots of traveling and meeting

1.16k views • 57 slides
MySQL/Percona Server/MariaDB Server security features overview Colin Charles, Chief Evangelist,

MySQL/Percona Server/MariaDB Server security features overview Colin Charles, Chief Evangelist,

MySQL/Percona Server/MariaDB Server security features overview Colin Charles, Chief Evangelist, Percona Inc. colin.charles@percona.com / byte@bytebot.net http://bytebot.net/blog/ | @bytebot on Twitter Percona Live Santa Clara 2018, Santa Clara,

681 views • 64 slides
Securing customer data (PII) in MySQL Alexander Rubin VirtualHealth PRIVILEGED + CONFIDENTIAL

Securing customer data (PII) in MySQL Alexander Rubin VirtualHealth PRIVILEGED + CONFIDENTIAL

Securing customer data (PII) in MySQL Alexander Rubin VirtualHealth PRIVILEGED + CONFIDENTIAL About me Working with MySQL for 10-15 years Started at MySQL AB 2006 Sun Microsystems, Oracle (MySQL Consulting) Percona since 2014

1.13k views • 44 slides
FOSDEM MariaDB 10 - The Spider Storage Engine (a sharding plugin for MySQL/MariaDB) Stphane

FOSDEM MariaDB 10 - The Spider Storage Engine (a sharding plugin for MySQL/MariaDB) Stphane

FOSDEM MariaDB 10 - The Spider Storage Engine (a sharding plugin for MySQL/MariaDB) Stphane Varoqui <stephane@skysql.com> Colin Charles <byte@mariadb.com> Introduction Fear of Databases Fear of Sharding Fear of

599 views • 30 slides
Histograms in MariaDB, MySQL and PostgreSQL Sergei Petrunia, MariaDB Sergei Petrunia, MariaDB

Histograms in MariaDB, MySQL and PostgreSQL Sergei Petrunia, MariaDB Sergei Petrunia, MariaDB

Histograms in MariaDB, MySQL and PostgreSQL Sergei Petrunia, MariaDB Sergei Petrunia, MariaDB Santa Clara, California | April 24th 27th, 2017 Santa Clara, California | April 24th 27th, 2017 What this talk is about Data statistics

928 views • 44 slides
MariaDB MySQL Corrected Michael Monty Widenius About Monty Original author of MySQL

MariaDB MySQL Corrected Michael Monty Widenius About Monty Original author of MySQL

MariaDB MySQL Corrected Michael Monty Widenius About Monty Original author of MySQL Co-Founder of MySQL Ab (with David Axmark and Allan Larsson) Founder of Monty Program Ab Swedish-Finn Purveyor of salmiakkikossu and

707 views • 32 slides
Galera 4 in MariaDB 10.4 And a little bit in MySQL Seppo Jaakola Codership 1 CEO Codership

Galera 4 in MariaDB 10.4 And a little bit in MySQL Seppo Jaakola Codership 1 CEO Codership

Galera 4 in MariaDB 10.4 And a little bit in MySQL Seppo Jaakola Codership 1 CEO Codership Developer role, 15 yrs with MySQL engineering Background: DBMS Engineering Data Security Seppo Jaakola www.galeracluster.com C o d e r s h i p

1.01k views • 75 slides
Percona Server for MySQL 8.0 Laurynas Biveinis Percona First of All, What Is Percona Server

Percona Server for MySQL 8.0 Laurynas Biveinis Percona First of All, What Is Percona Server

Percona Server for MySQL 8.0 Laurynas Biveinis Percona First of All, What Is Percona Server for MySQL? a free, fully compatible, enhanced and open source drop-in replacement for any MySQL database 2 First of All, What Is

2.47k views • 28 slides
Opensource Column Store Databases: MariaDB ColumnStore vs. ClickHouse Alexander Rubin

Opensource Column Store Databases: MariaDB ColumnStore vs. ClickHouse Alexander Rubin

Opensource Column Store Databases: MariaDB ColumnStore vs. ClickHouse Alexander Rubin VirtualHealth About me Working with MySQL for 10-15 years Started at MySQL AB 2006 - Sun Microsystems, Oracle (MySQL Consulting) - Percona since

644 views • 50 slides
How Microsoft Built MySQL, PostgreSQL and MariaDB for the Cloud Santa Clara, California | April

How Microsoft Built MySQL, PostgreSQL and MariaDB for the Cloud Santa Clara, California | April

How Microsoft Built MySQL, PostgreSQL and MariaDB for the Cloud Santa Clara, California | April 23th 25th, 2018 Azure Data Service Architecture Azure Infrastructure Services Share Cluster with SQL DB Azure Service Fabric Control

868 views • 14 slides
MySQL to MariaDB and Back Again benny Vasquez -- cPanel, Inc. Santa Clara, California | April

MySQL to MariaDB and Back Again benny Vasquez -- cPanel, Inc. Santa Clara, California | April

MySQL to MariaDB and Back Again benny Vasquez -- cPanel, Inc. Santa Clara, California | April 23th 25th, 2018 hi, I'm benny. 2 right now 3 before cPanel 4 boring 5 boring 6 enough about me, though 7 Migrating your data safely

604 views • 27 slides
CS 377 MySQL/PHP Tutorial Connect from PHP Scripts MySQL is currently the most popular open source

CS 377 MySQL/PHP Tutorial Connect from PHP Scripts MySQL is currently the most popular open source

CS 377 MySQL/PHP Tutorial Connect from PHP Scripts MySQL is currently the most popular open source database server in existence. On top of that, it is very commonly used in conjunction with PHP scripts to create powerful and dynamic server-side

92 views • 5 slides
MariaDB 10.3 vs MySQL 8.0 Tyler Duzan, Product Manager Percona Who Am I? My name is Tyler

MariaDB 10.3 vs MySQL 8.0 Tyler Duzan, Product Manager Percona Who Am I? My name is Tyler

MariaDB 10.3 vs MySQL 8.0 Tyler Duzan, Product Manager Percona Who Am I? My name is Tyler Duzan Formerly an operations engineer for more than 12 years focused on security and automation Now a Product Manager at Percona

4.42k views • 37 slides
Securing the Social Web by Moving Beyond Client-Server Security Tyler Close Google, engineer

Securing the Social Web by Moving Beyond Client-Server Security Tyler Close Google, engineer

QCon SF 2010 file:///home/recht/projekt/qcon/wed/Securing the w... Securing the Social Web by Moving Beyond Client-Server Security Tyler Close Google, engineer Client-Server Model Isolated clients connect to a single server. One

448 views • 6 slides
The MariaDB/MySQL Query Executor In-depth Presented by: Timour Katchaounov Optimizer team: Igor

The MariaDB/MySQL Query Executor In-depth Presented by: Timour Katchaounov Optimizer team: Igor

The MariaDB/MySQL Query Executor In-depth Presented by: Timour Katchaounov Optimizer team: Igor Babaev, Sergey Petrunia, Timour Katchaounov Outline What's IN What's NOT IN Query engine architecture Query optimization Execution model

630 views • 19 slides
1. Can we use the CFN model for morphological traits? 2. Can we use something like the GTR model

1. Can we use the CFN model for morphological traits? 2. Can we use something like the GTR model

1. Can we use the CFN model for morphological traits? 2. Can we use something like the GTR model for morphological traits? 3. Stochastic Dollo. 4. Continuous characters. M k models k -state variants of the Jukes-Cantor model all rates

298 views • 14 slides
Option ons f s for or Sc Scattered-Site te Un Units June 3, 2020 U.S. DEPARTMENT OF

Option ons f s for or Sc Scattered-Site te Un Units June 3, 2020 U.S. DEPARTMENT OF

Public lic H Housin ing R Repositio tionin ing Wedn dnesd esday W Webinar S r Ser eries: es: Option ons f s for or Sc Scattered-Site te Un Units June 3, 2020 U.S. DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT 1 Presenters

629 views • 35 slides
Probability and Random Processes Lecture 10 Random processes Kolmogorovs extension

Probability and Random Processes Lecture 10 Random processes Kolmogorovs extension

Probability and Random Processes Lecture 10 Random processes Kolmogorovs extension theorem Random sequences and waveforms Mikael Skoglund, Probability and random processes 1/16 Random Objects A probability space ( , A , P

199 views • 8 slides
Realizability and Turing Categories Chad Nester Joint work with Robin Cockett University of

Realizability and Turing Categories Chad Nester Joint work with Robin Cockett University of

Realizability and Turing Categories Chad Nester Joint work with Robin Cockett University of Calgary August 11, 2016 Chad Nester Joint work with Robin Cockett Realizability and Turing Categories We can construct a model of first-order

667 views • 19 slides
The Effects of Restrictions on Number of Connections in OSNs A Case-Study on Twitter Saptarshi

The Effects of Restrictions on Number of Connections in OSNs A Case-Study on Twitter Saptarshi

The Effects of Restrictions on Number of Connections in OSNs A Case-Study on Twitter Saptarshi Ghosh Gautam Korlam Niloy Ganguly Indian Institute of Technology, Kharagpur, India 3 rd Workshop on Online Social Networks Boston, USA June 22,

521 views • 34 slides
Restricted ASEP without particle Conservation flows to DP Urna Basu Joint work with P.K.

Restricted ASEP without particle Conservation flows to DP Urna Basu Joint work with P.K.

Restricted ASEP without particle Conservation flows to DP Urna Basu Joint work with P.K. Mohanty Theoretical Condensed matter Physics Division Saha Institute of Nuclear Physics Kolkata, India Introduction Absorbing state Phase Transition

691 views • 32 slides
A Tutorial on Integer Programming G erard Cornu ejols Michael A. Trick Matthew J. Saltzman

A Tutorial on Integer Programming G erard Cornu ejols Michael A. Trick Matthew J. Saltzman

A Tutorial on Integer Programming G erard Cornu ejols Michael A. Trick Matthew J. Saltzman 1995 These notes are meant as an adjunct to Chapter 9 and 10 in Murty. You are responsible for what appears in these notes as well as Sections

501 views • 37 slides
Computing Compliance Floris Roelofsen www.illc.uva.nl/inquisitive-semantics Umass Amherst,

Computing Compliance Floris Roelofsen www.illc.uva.nl/inquisitive-semantics Umass Amherst,

Computing Compliance Floris Roelofsen www.illc.uva.nl/inquisitive-semantics Umass Amherst, February 1, 2010 Sources Computing compliance Ivano Ciardelli, Irma Cornelisse, Jeroen Groenendijk, and Floris Roelofsen. Workshop on Logic of

360 views • 18 slides

More recommend