I work in an organization that is performing the config review of their RDS MySQL Instance.
The review requires me to check if the access to the database is granted only after a secure authentication.
Is there a way to check if this is violated in any way?
Thank You
Edit: Let us ignore the "secure" part... There must be authentication using the credentials always and for every user
Depending how "Secure authentication" defined.
Look at SELECT CURRENT_USER() and examine tables for anonymous users.
Is TLS based authentication required? If so examine that in the connection \s from mysql client. Attempt to connection without the TLS, or without the client cert, or with a different client certificate as tests of this.
Related
When looking the the MySQL process list, I see the following:
The IP 23.95.34.214:3968 isn't one of my servers.
Does this mean I have some sort of security breach? Is this something I should worry about / handle?
Unauthenticated user is a user who connected to mysql, but hasn't sent his password yet.
You aren't hacked yet, but additional firewall rules could improve security.,
Consider a MySQL server that accepts remote connections.
What happens if you have a publicly facing MySQL server, and grant access to e.g.:
'sqluser'#'localhost'
If an attacker now sets his rDNS to "localhost", will he able to access this database?
Is there an extra check that also tries to resolve the rDNS back to the IP?
Regardless, database servers shouldn't be internet facing, but this a what-if-question.
It appears that MySQL uses forward-confirmed reverse DNS (FCrDNS) to counter these kind of attacks.
Most of the logic for the hostname checks can be found in sql/hostname.cc. Moreover, several checks are also performed to make sure that the rDNS doesn't contain an IP or is otherwise poisoned.
Hi I need to know if there is an equivalent sentence in Postgres to the following MySql sentence:
GRANT USAGE ON *.* TO ‘%’#’%’ REQUIRE SSL
I want that all the users connect to the database right through SSL connections.
Thanks
The permission themselves (via GRANT) in PostgreSQL don't take into account how the role was authenticated. Authentication is configured in pg_hba.conf instead.
You'll still need to use GRANT, simply to give access to that role on the tables, schema, views, etc., as required by your application.
If you want to grant access only when SSL is used, use hostssl instead of host in pg_hba.conf. (host is effectively hostssl or hostnossl.)
Note that, like HTTP redirections from HTTP to HTTPS, this security measure used on its own only really protects against passive attackers at best. Otherwise, MITM attackers could intercept the plain-text connection and forward it themselves to your server using SSL. The server wouldn't know about it (unless client certificates are used).
As always, what you need is to make sure that your client know that they need to use SSL, and that they verify the server certificate correctly. More specifically, if they're using a tool that relies on libpq, they need to configure your CA certificate (or your server certificate directly) correctly and use verify-full, to prevent MITM attacks.
I noticed in one of my MySQL server that a remote attacker tried around 2000 login attempts in one night using 'root' and 'admin' usernames over 'mysql' system database. Luckily, I had setup mysql's query-log into a file log for monitoring purpose, and the passwords were difficult.
My database server survived that attack, even though it received almost one login attempt per second during the off-hours at (night).
There were around 10 different IPs with the same attack behavior all together, most of them having 'good reputation' in blacklist checking.
In this case, changing the database password may not be a good protective idea.
Is there a way to discourage such mis-behavior? For example, if there are about 5 wrong login attempts in short time, deny them the service?
How do MySQL experts handle this attack in case the MySQL port is open for remote login?
A lot of servers might be facing this kind of silent login attempts.
I recommend Fail2Ban. This is a script that watches logfiles for any patterns (e.g. failed logins) and creates then a firewall rule to prevent that IP to access your server. You can configure how many failed logins are necessary and for how long the access should be denied before the firewall rule is removed.
With fail2ban you can also watch ssh logins, mail accounts or event your own web-application logfile for malicious logins/behaviour.
As a general hint: rename your root/admin account to something else, so that they will never success anyway and change the public mysql port of your server (which is both just obscurity, but no real security). Also you should disable remote login for accounts (which is security).
I would like to know how can you connect to postgresql in these conditions:
allow you to access them from any location (do IP filtering)
safe connection (no risk on having your password captured)
easy to setup, preferably having to configure only the server for that.
I know that the recommended approach is to used SSH port forwarding, but this requires you to start the port forwarding before trying to connect to these databases.
What is the easiest method to acquire a good enough security without having to do complex setup on the client.
Is there a way to auto enable the port forwarding stuff on demand?
For PostgreSQL you would start by making sure you are using an SSL-enabled build. (I think that is the default for most installers.)
Then you would need to allow the server to accept remote connections by setting listen_addresses (which specifies which IP addresses the server will listen on): http://www.postgresql.org/docs/9.1/interactive/runtime-config-connection.html
The pg_hba.conf file allows you to specify which users can connect to which databases from which IP addresses using which authentication methods. There are a lot of authentication methods from which to choose: http://www.postgresql.org/docs/9.1/interactive/client-authentication.html
Regarding what needs to be done on the client side, the details will depend on what connector you are using from which environment; as an example, the PostgreSQL JDBC driver uses an SSL connection by default if available. To tell the JDBC driver not to accept a connection unless it can use SSL, you set a JDBC connection property: ssl=true. http://jdbc.postgresql.org/documentation/head/ssl-client.html
Sorry, but I don't know how MySQL manages any of this.
I am myself trying to find the answer for Postgre, but here is what you can do for MySQL.
First, you need to enable remote access to your database. You can create a user with remote access ability as follows.
GRANT ALL ON *.* to user#address IDENTIFIED BY 'password';
flush privileges;
More details here.
To add security to this, you can add a 'REQUIRE SSL' to the GRANT command as follows
GRANT ALL ON *.* to user#address IDENTIFIED BY 'password' REQUIRE SSL;
All this needs to be done on the server side. On the client, you just need to provide the required certificates that it will need to connect.
For details on creating certificates, the MySQL site has a step by step guide here