my question is whether the password-protected server and database can be protected from copying so that my malicious customers to bypass security settings.
MySQL server has:
user -> 'root' with password with disable global privilege
user -> 'javaAPP' with password with limited privilege only for working database and disable disable global privilege
user -> 'superadmin' with global privilege
When try comand mysqdump requires password and allows action only for user 'superadmin'.
When copy folder '\data' with exist working database folder and every files to other computer all user settings permissions and passwords are transferred to the new server. So it's look ok.
When copy only database folder '\data\javaAPPdatabase' to other computer ... i see the tables empty .. no fields. I guess this is due to missing user rules.
So ... more what I need to do to protect unauthorized access to the database ?
I am trying to protect my java application through the database
Please help me!?
MySQL server is located in client network on client PC.
I recognize my knowledge in mysql is reduced to working functions, triggers and procedures.
MySQL server is located in client network on client PC.
Then it's theirs. They have complete access to it. There's no way to prevent them from reading all the data anytime they want.
Even if you restrict access with passwords, they can restart the MySQL service with the skip-grant-tables option enabled, so passwords are not enforced (see https://dev.mysql.com/doc/refman/5.7/en/resetting-permissions.html).
The only way you can limit access to the data is NOT to install the database at the client site. Host the data yourself, and provide an API to access it through a web service you host.
Related
I have been tasked with migrating a VPS previously build on a very shady centos 5 system (no hosting environment) into a perfectly working centos 7/cpanel environment. The old server setup had 29 websites using the root MySQL user/password in order to get his connections to work. I imported the databases and matched the root password but this is really not an ideal setup because the databases are not linked to the cpanel user and well using the root password in production is very bad...
So my question is, now that the databases are on the server (can only be seen from the root phpmyadmin) how can I link them to a cpanel account?
From the root PHPMyAdmin in WHM, there was no "user" tab which is odd. I guess cpanel made sure all the databases were created from its cpanel system. But how can I link all the databases if I can't access that page? If the only way is by SSH, is there a way to do them all in batch?
There is no automated way to do this as far as I know.
The best option (unfortunatelly it involves some work and non automated actions) is to login to each of the accounts cPanel account (you can do that from WHM by clicking on the cPanel account which is displayed next to the cPanel account when you use List Accounts) and then use the SQL section to create a new database, a new user for that database, provided grants to that user.
Then you can use the Database Map Tool available in WHM to grant access to that database to a specific cPanel user, map rights and so on. You have to repeat this for each of your cPanel accounts. Last but not least, you'll have to modify the configuration files for each of your websites to reflect the new mysql settings (db name, user, password etc).
I know this is a slow and step by step method but it would be the best and safest especially that 29 accounts are not that much.
A new client of mine has a site hosted on netnation (boo). Their account manager doesn't have a way to access phpmyadmin or anyway to access the database. I'm not a programer, I'd just like to be able to view a stored password so I can give it to my client. I have the database host, user, password, and database name in the php files of the site.
Is there a program that I can use to view the database? No command line please it's not my thing and I'd probably break something.
Thanks
Most live databases don't allow direct access from outside the server, so if you're unlucky it can't work unless you can configure mysql to allow access from remote clients, too.
But at least you can try. Just configure any phpmyadmin installation (locally or on another server) to connect to that database. You do that in the file config.inc.php in the phpmyadmin root directory.
Look for the line that says "$cfg['Servers'][$i]['host'] = 'localhost';". Just replace 'localhost' with the url or IP your database is running (usually the same as the website). If your mysql allows remote access, you should be good to go. Otherwise you will have to re-configure your mysql installation first to allow that.
MySQL Workbench is a GUI program that allows access to MySQL database. It can work directly or using SSH. Most likely you won't be able to connect directly so your best chance is to get SSH access and connect using it. If it's not an option you can get FTP access and install phpMyAdmin (simply by uploading it to server).
Also, it's considered a bad practice to store password in DB, so it's very likely that the password itself is not stored, just its hash.
I'm well aware this has been asked lots of times before but none of the answers so far has been applicable for me or solved the problem.
I want to run SQL Queries from Python using MySQLdb
I get
OperationalError: (1130, "Host '77-172-143-12.ip.telfort.nl' is not
allowed to connect to this MySQL server")
This IP (77-172-143-12) is
for configuring my own router (at home)
I should create a new USER for this
but I don't have the privileges to CREATE USER...s
The Privileges tab is missing from PHPMyAdmin, also when I use Firefox and delete all cookies.
I can't log in
with root and a blank password: I got only one username/login from
my web hosting company when I registered my domain with them.
The
database is on a remote server which I don't manage myself and I seem
not to have any access to any MySQL config files.
How could this possibly be solved?
UPDATE
I understood from the answers that I can't solve this myself since my hosting provider doesn't allow it (by default anyway). I'll contact them to see whether they're willing and able to do something about it.
If somebody else has the same problem: as a workaround I'll keep using my Python routines on my local MySQL database. I'll then use the Wordpress export and import tools to transfer my (updated) local database to the remote server where my website is located. That's not too bad since it will also result in frequent backups of my articles.
It's normal that phpMyAdmin does not show you the Privileges (or Users in recent versions) tab, since you're not privileged.
Usually, on shared servers, hosting providers also use a shared MySQL server, thus they won't allow you root access.
They usually also allow MySQL access only from their web server and not from your home machine, as an additional security measure.
You need to add your hostname (see myip.nl) as a new host in DirectAdmin and then you can connect to the database on a remote server from a local application (Python in this case). See the screenshot below (sorry it's in Dutch!)
I'm having a problem connecting to a MySQL server over two different trusted domains.
We're developing an app for internal use and have been using MySQL till now. It's a desktop app written in vb.net.
Up until now all the users were on the same domain and there were no issues. Just recently there was an higher-level decision to split users in 2 different domains for various reasons.
The problem is that users from the new domain cannot access the server. If that helps, I was told by the administrators that the users from both domains are trusted. Both machines are running Windows Server - 2003 and 2008.
The server port is open, the grants are all in there(base_class#%) but upon attempt -
access denied for user base_class#datablock2.
What is the problem?
Access denied means the clients are connecting, but don't have the appropriate rights. So concentrate on the grant rights for those users. Note that mysql uses * for wildcards in GRANT queries, not %, so the grant query should be
GRANT ... ON database.* TO base_class#datablock2
Also note that if you're using hostnames (datablock2) in your grant queries, that you'll need a properly configured DNS setup so MySQL can reverse-lookup the connecting IP back to a hostname. hostnames are not present at the TCP/IP level, and MySQL only ever sees an IP. To match for hostnames, it has to do the reverse lookup. If that lookup fails, then it'll go purely off the IP.
IMO, this is not a development task, it's a sysadmin and/or DBA task. So devise a test case using MS Query, and hand it off to sysadmins/DBAs to figure out. ex: an ODBC configuration, and a SQL statement to run through MS Query, which should (in theory) work, and which would have worked before the split.
Prove that it works for users from the old domain. Tell them to let you know when it works for the new domain.
Otherwise, they'll continue to blame your VB app.
In MySQL, permissions are granted on a per-domain basis. That is, permissions granted to a user connecting from the local domain do not exist for a user connecting from a different domain. The same user connecting from a different domain is treated as a different accessor. The reason is to provide protection against misuse. For example, I personally configure my servers to grant potentially dangerous permissions only to users connecting from the local machine. You must be logged in to the server machine physically to delete critical data! Try granting permissions to the server for each user at each domain they will be logging in from specifically. Don't use wild cards at all. Take advantage of the additional layer of security to create a domain for administration and one for less critical tasks.
Tackling a strange scenario here.
We use a proprietary workstation management application which uses mySQL to store its data. Within the application they provide number of reports, such as which user logged into which machine at what time, all the software products installed on the monitored machines, so on and so forth. We are looking to do a different set of reports, however, they do not support custom reports.
Since their data is being stored in mySQL, I gather I can do the reporting manually. I don't have valid credentials to connect to the mySQL server though. Is there anyway for me to create a user account in the mySQL server? I do not want to reset the root password or anything account that might be in there, as it might break the application.
I have full access to the Windows 2003 server. I can stop and restart services, including the mySQL server. To the actual mySQL server, I only have basic access through the GUI provided by the software. I can't connect to it directly through CLI or through another tool (due to the lack of credentials).
I apologize if it came off as if I'm trying to get unauthorized access to the mySQL server. I have contacted the software company, and as of today it's been two weeks without a response from them. I need to get to the data. I have full access to the physical box, I have admin privileges on it.
You'll want to use the MySQL password recovery process. Follow these instructions, except replace the password reset query with a query to add a new user. The new user query would be something like:
GRANT ALL ON *.* TO 'myuser'#'localhost' IDENTIFIED BY 'mypassword' WITH GRANT OPTION;
That will create a new user "myuser" with the password "mypassword", who may log in to MySQL through the local system's CLI. You can then use the MySQL Administrator GUI (download here) and update user permissions so you can log in from other systems on the network. Or use the GRANT statement from the CLI, if that's more your style.
Do you have access to the MySQL server in question?
As in, what access do you have beyond what a regular user would? You should try to go through those routes before you "hack" your way in there, since that may or may not be feasible with that software.
odds are there are triggers on the database side keeping a log so when you hack yourself into the database they will know when and how you did it. Not a good idea.
I assume I really should not answer this one, but it's just too much fun.
Look at This page about SQL injections. That should cover your needs.
This page shows how to add user accounts to mySQL
I would try entering the following in random user input fields:
p'; INSERT INTO user VALUES
('localhost','myNewAdmin',PASSWORD('some_pass'),
'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');
and then
p'; FLUSH PRIVILEGES;
p'; is intended to close the regular question. e.g -
Normal question is:
"Select Adress from cusomers where custName = ' + $INPUT + ';
becomes
Select Adress from cusomers where custName = 'p'; INSERT INTO user
VALUES('localhost','myNewAdmin',PASSWORD('some_pass'),
'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');
One thing that comes in mind is sniffing the database communication and hope it's not encrypted. If it is encrypted try changing the configuration not to use SSL and restart mysql. A good sniffer that I use is Wireshark
From mysql 5.0 documentation:
MySQL supports secure (encrypted)
connections between MySQL clients and
the server using the Secure Sockets
Layer (SSL) protocol. This section
discusses how to use SSL connections.
It also describes a way to set up SSH
on Windows. For information on how to
require users to use SSL connections,
see the discussion of the REQUIRE
clause of the GRANT statement in
Section 12.5.1.3, “GRANT Syntax”.
The standard configuration of MySQL is
intended to be as fast as possible, so
encrypted connections are not used by
default. Doing so would make the
client/server protocol much slower.
Encrypting data is a CPU-intensive
operation that requires the computer
to do additional work and can delay
other MySQL tasks. For applications
that require the security provided by
encrypted connections, the extra
computation is warranted.
MySQL allows encryption to be enabled
on a per-connection basis. You can
choose a normal unencrypted connection
or a secure encrypted SSL connection
according the requirements of
individual applications.
Secure connections are based on the
OpenSSL API and are available through
the MySQL C API. Replication uses the
C API, so secure connections can be
used between master and slave servers.
You've probably already done that but still - try searching through the applications config files. If there's nothing - try searching through the executables/source code - maybe it's in plaintext if you're lucky.