I client of ours did a PCI scan on their site and came up with the following alert:
vulnerable MySQL version: 5.5.36---Risk Level High
Is this version of MySQL in fact more vulnerable than others? Do I need to update the version (which will affect all the sites on the server) or can I tell him otherwise?
If an external scan is detecting MySQL, you've got huge problems. You need to firewall that service immediately.
You should not have port 3306 open to the general public under any circumstances, especially not if you're trying to get PCI compliance.
Firewall this service completely. If other external servers need access to this, they should do so via a VPN or SSH tunnel. Where this isn't practical, you must employ IP whitelisting at the firewall level.
The threat is real, but it's only in the client:
CVE-2014-0001
That doesn't just mean the command-line client, but any client, such as the MySQL API via PHP, etc.
If your MySQL client library only connects to your server, then there's no threat, as long as your server isn't exploited.
Still, you're unlikely to pass a PCI audit until you update MySQL beyond that version. You should be able to update to the latest 5.5 easily.
Related
We have an existing MySQL database with lots of clients connected to it.
We want to change MySQL to use secure connections (SSL/TLS). However, we want to do this gracefully so that we don't have to redeploy all of our applications at the same time.
Ideally, we would like MySQL to support BOTH Secure and Non-secure connections (two different ports) for some window of time until all of our applications can convert over to SSL one at a time, on their own schedule. Then once everyone has stopped using the non-secure port, we can shut that port off.
Is this possible?
Yes, this is possible. MySQL uses TLS which is started after the connection is made and encryption can be optional or mandatory. You can set up TLS on the server and set it to be optional and when everyone has upgraded you can set it up as mandatory.
You don't need two separate ports since the encryption will be selected within the server protocol.
More information is in the MySQL documentation.
In my env variable there is host for MySQL database. But it is ip in local network (starts with 127...). How can I make MySQL available for external world via domain name for db?
This is not possible. Openshift is a Platform-as-a-Service (PaaS) that shields the internals of the implementation in a paradigm that allows access through an API connector such as PHP and a database cartidge. Or through SSH tunneling. It does not expose an IP Address of your mysql server sitting there as port 3306 for use in development with such db libraries a c#, java, python, etc. Or with Mysql Workbench or the like.
In fact, it is not your mysql server as much as it is a shared one.
Infrastruture-as-a-Service (IaaS) platforms such as AWS EC2 would allow for those native port 3306 connections and a public IP Address exposed if you opened up the firewall for them.
With Openshift, in order to achieve connections with such things as Mysql Workbench, you need a pki key pair and an SSH tunnel. Same for a native app, say, written in c#, which would need the likes of SSH.NET . these are all configurations that are bearable for a single developer, but don't scale for a rollout to your users, generally speaking. Unless you are up for the task of doing that. That is, key management.
It is one of the drawbacks, but also one of the security guarantees you can bank on. You can also enjoy its simplicity. But it has its shortcomings. I have converted some people away from Openshift once they have realized this. The same limitations exist with major shared hosts where SSH is the only way in.
I hope I have answered your question.
The MySql server and client are on the same server. In time, they will be on separate machines. We want to establish secure protocols from the get go.
Does it make sense to require SSL on database connections? Or put another way, is there any reason NOT to use SSL?
If I were you, I'd refrain from connecting to localhost, and instead connect to your local machine by using its explicit hostname. I think you're also wise to use TLS / SSL to connect in this configuration if that's what you're expecting to use when you deploy in production.
You may want to ask yourself whether that's worth the trouble, though. If your app - to - mysqld connection is on a private backend network (as it may be) using TLS / SSL may be overkill. It's called "transport layer security" and it pretty much protects against badguys intercepting data going to and from mysql. Your app system will probably have other vulnerabilities that render TLS protection uninteresting. For example, if it's a web app the mysql password is probably hardcoded in a config file someplace. If the badguy wants to look at your data, he need only grab the password and log in to the mysqld. To keep your info safe you need to keep badguys off your private network.
It's a good idea always to paramaterize the hostname, port number, and production password of your mysql database. If those things are parameterized you can then deploy to a staging or production server system simply by changing those parameters.
I am facing this problem:
stackoverflow question
except my host doesn't seem to have cpanel. Since the answer given in the linked question is cpanel related it has not helped me. Is there anything I can do?
It seems you are trying to connect from a client machine located on your desk to a mySQL server instance located in a service provider's server farm. You're trying to use the ODBC "driver" for mySQL to do this, so you can look at your mySQL data with MS Access. (Right?)
You need to make sure this particular hosting service provider allows remote connections to their mySQL server instances. Some service providers, especially the lowest-cost ones, prevent these remote connections using firewalls or other network isolation techniques. (They do that because it's easier to control both security and performance when only their own web servers can connect to their mySQL servers. ) If your service provider prevents all these connections as a matter of policy, you're going to need another service provider.
If they DO allow remote connections, you may need to enable those connections for your mySQL database. That's what the "cpanel" function mentioned in the other question is about. cpanel is a popular control panel web application offered by many commercial hosting service providers to allow self-service control by their customers. If your service provider doesn't use cpanel, you'll have to find out what they do use. Even if they do use cpanel, they may still not allow remote mySQL connections.
You will also have to make sure your client machine (the one running ODBC) and user have authorization in the mySQL user database.
You would do well to put in a service ticket to your service provider asking if they do offer remote mySQL access. If they say "yes," then you can ask them for advice and help on setting it up.
Keep in mind that opening mySQL server instances for direct connection over the publicly accessible internet is not ordinarily considered a good security practice. If the data in your database is in any way private (peoples' identity information, for example) you need to be very careful indeed.
Since our shared hosting server doesn't allow us to setup Tomcat I decided to install it on our local machine. The local Tomcat server allows us to listen to a certain port for Bancnet transactions which will then be processed and written to the remote site.
Question:
Is it safe for me to set the local PHP application to connect directly to the remote mySQL server? Any suggestions on how to make the connection secure. BTW, I have a self-signed certificate installed in the localhost but not sure how this applies to remote mySQL connection.
You could create a ssh tunnel between MySQL server and client. For more resiliency, use autossh.
If you don't connect over SSL or some other encrypted tunnel, I would absolutely assume that anything you send or receive from MySQL is done so in clear text that can be intercepted and used for malicious purposes from any link along the way. This might be fine for testing purposes with dummy data, but before you put this in production use or pull down live user data for testing, you really should either make arrangements for the data to be stored local to the web app or for there to be an encrypted connection.
Giving you a full overview of how to set up SSL connections to MySQL is beyond the scope of Stack Overflow and it's a bit complicated, but if you want to proceed, check out the documentation and do some research, there are some good informational resources out there.
I'm a bit confused as to the architecture you are trying to describe. What's running where?
If you can't install Tomcat then you probably won't be able to install anything like VPN software on the box.
MySQL can encrypt using SSL provided it has been enabled at compile time and at run time.
Alternatively, it should be fairly trivial to build a webservices tier on top of the remote database.
I would recommend switching to a VPS or managed host though.