MySQL Community Server - Security Patches - mysql

I have been running a MySQL Community Server for a couple of years now and a new client has asked for a report from a vulnerability scanner on our network. I am using OpenVAS and the network is fine apart from the server, its returning a high threat stating that a MySQL security patch needs to be applied. I've gone onto the Oracle website and I believe that I require a Support Identifier to apply the patch, so I done some Googling and its basically a subscription from Oracle. As its a small company is there a way to apply this patch for the community edition without the need to fork out a ton of money, or shall I just filter incoming traffic to the mysql port (Its not the actual fix but at least its one)?
Cheers for the help!

A first measure would be closing the MySQL port through a firewall (iptables), or at least restricting it to the machines in the internal network needing direct access to MySQL.
As for the patch: Maybe there are newer pre-built packages for your OS/distro which already contain the bugfix.

Related

How can I connect a local MySQL database to the IBM Node-Red platform

I am using MySQL workbench on windows, which I want to connect to a Node-Red running on the IBM cloud. Since I don't run them on the same server the host 127.0.0.1 and port 3306 does not seem to work. What permissions should I give?
I'm going to make a LOT of assumptions here, because there really isn't enough information in your question.
First assumption, by "running on IBM" you mean that Node-RED is running on the IBM Cloud hosting service.
The short answer is you can not do what you want.
The longer version is that you probably could actually make this work but doing it is a REALLY bad idea.
Second assumption, you are doing this from home (even if you are doing it from a office location the same problems are likely to apply). This means you are connected to a local LAN using RFC 1918 address range (e.g. 192.168.0.x), this means you are behind a router that is performing NAT (Network Address Translation). This means you are going to need to set up portforwarding on the router so that when traffic arrives at the router it will send it on to your Windows machine. How you do this will depend on your router.
Next problem, your broadband probably doesn't have a static IP address which means it will change every time your connection drops. There are work arounds for this using things like Dynamic DNS. But that's too complicated to get into here.
Assuming you get all of that sorted out you still have the problem that you have now exposed your mysql database to the internet, so you need to make sure you have enabled all the right security measures to prevent people logging in and at best seeing all your data.
There are 2 much better solutions to this
Run Node-RED on the same machine or at least on the same local network as the database.
Use one of IBM Clouds hosted database solutions, these are a lot easier to connect to a IBM Cloud instance of Node-RED.
If you do not want to open ports to your network I recommend using a free MYSQL remote server
A simple website is https://remotemysql.com
Just take the screenshot of the credentials of your database after registration.
Keep in mind if your database is empty it will get deleted after some time.

Setting up servers with fault tolerance using Go and MySQL (failover)

I am working in a project where we are using Go as a web server and MySQL.
We have been told to implement fault tolerance to handle a hardware crash. We were given 2 servers which have MySQL and the Go-server on them.
We have succesfully set up replication in MySQL, but we are struggling with the failover part. Our thought was to get an extra server with HAProxy to have a primary server and then being able to failover to the backup server.
We also considered using MySQL failover, but did not see how we could redirect the traffic using it.
Is this a reasonable plan? Or what would you recommend that we do instead?
If you want two identical servers connecting to their local MySQL instances, you need a way of deciding which one is the production server. There are a number of solutions for that, including
Setting up a reverse proxy, as you mention, but then, your proxy
itself becomes a SPOF,
Using a floating IP, also known as a failover
IP, but this only works if your host supports it. Cloud providers
typically support them, as well as some bare metal server providers.
There is nothing specific to Go as far as I know.

Securing a web server with local MySQL database

I am creating a web service for a small company which will use client authentication and possibly https for a RESTful service. I am asking a very simple question that I hope is not too broad, but I am very new and naive to internet security. What precautions must I take to ensure my data is secure?
To describe my service a bit, users have an account where they place presumably insensitive information and retrieve it from a database using a homemade authentication token I create on successful login with a salted password. I am using an amazon instance where MySQL is local and access is granted remotely to me so I can access it directly from my home. I am using a few php scripts to do my work requesting and adding data and am attempting to protect against injection. I am storing my MySQL credentials in a separate file from the php scripts. I can only ssh into my server with a pem file that I believe is safe.
My biggest fear is that someone will come and delete all of my data. What other precautions must I take? Thanks
If you're using Amazon EC2 then you should make use of their security groups to lock down your MySQL server and ensure that no external access to it is possible.
Application servers have an internal non-routing 10.x type IP that should be used for access control, and any external IPs, like your home network, should be specifically whitelisted if VPN access or SSH tunnelling is not practical, as those two are far easier to secure.
Be absolutely sure that no credentials, configuration files, or keys are stored anywhere in your web root. That is, should you accidentally misconfigure your application server in the worst possible way, with directory indexes turned on and everything, it's not possible to snag anything critical.
You might also want to specifically exclude the downloading of *.inc in case you make a mistake. The idea here is to set up a number of safeguards you'd have to break before things go horribly awry. A single-mistake failure situation is always the result of bad planning.
Above all else, be extremely vigilant about proper SQL escaping to avoid SQL injection bugs as no amount of firewall security on your MySQL server will help you when someone can drive a truck through a mistake in your code and have free reign on the server. It's recommended to thoroughly audit any SQL interfacing code you've written before going live with it.
Be sure to have a proper deployment procedure that uses a version control system. If you ever have an intrusion it's very easy to roll back to a known-good version of the code if you have one. The 1990s style "throw files at server with FTP" deployment approach is hazardous at the best of times and fatal to your business when it goes wrong. Use version control or you're living on borrowed time.

IIS7 SMTP: SmartHost or local SMTP Server?

I have an ASP.NET 4 application that has been in production for years running on Windows Server 2008 R2. It sends email, and is currently configured to send to a specific SmartHost.
I would like to eliminate the dependency on that SmartHost server (it might be going away). As I see it, I have two options:
Find another SmartHost - possibly in the cloud? Which concerns me because it's another point of failure and dependency.
Install & configure SMTP server on the same box as the application. I'm not wild about installing the 'IIS6-bits' that seem necessary to do this.
What's the best practice here? Are folks using external servers via SmartHost more or are you installing local SMTP servers?
I have chosen option 2, because, as you wrote, this eliminates another point of failure, namely the network path between your server and the smart host. Administering a send only mail server is not a big deal. I set up a local send only mail server about two years ago, and except an upgrade I did not do anything with it. Even the upgrade was not strictly necessary. I have to add that I was not completely new to configuring a mail server, and we already had a second mail server, giving additional safety.
On the other hand I have no experience with the SMTP server included in IIS (I only tried it once, several years ago, without success, and gave it up immediately), and I also found then that the choice of open source mail servers on Windows is limited.
I don't see anything wrong with IIS6 SMTP Server although I've only used it to relay to another SmartHost (GMail) and not had it send mail itself. It's a little tricky to set up but not that hard and has worked well for me.
Note: The IIS bits are still there even in Server 2012 and although deprecated Microsoft has provided no replacement. See my thoughts on What replaces IIS SMTP server in Windows Server 2012 on ServerFault.
I'd recommend using both IIS6 bits in conjunction with an external SmartHost (I use Gmail) for the benefits in the above referenced ServerFault answer of mine. I would think that setting up your own SMTP server is going to end up being more complicated and you may risk being blacklisted if you're not careful.

Have you used any databases only hosting service?

Are there any database only hosting services?
I need a MySQL only hosting service but I couldn't find any. All mysql hostings are part of a package e.g. PHP + MySQL.
I need it for development purposes. Having my PHP files somewhere else I can remotely connect to this mysql server and once an application is ready I can put that on a server having both PHP + MYsql. [well, there a some reason to have this kinda setup, if you have something to suggest please do.]
Any suggestion/recommendation if you have used any.
Thanks
The problem with a database-only host would be the security. The database need to be accessed over the Internet, thus username and password to access it are sent over the Internet. Even though you could add encryption and other protection, there's still a risk that the security is breached.
In general, you should never allow direct access to databases over the Internet! It's a real bad practice, which also explains why it's hard to find.
One way to get around such limitation is by building a web service around your database. In this web service you'll add all the functionality that you need to apply on this database, and the web service itself will keep the database itself protected. There would still be a risk that your web service gets compromised but even in that case, the attacker could never do more damage than the specific web service allows.
Such a web service can be created in PHP, although I myself have more experience with doing something similar with .NET and C# on SQL Server...
I think that you can find hosts with MySQL and PHP cheap enough that it would be easiest for you just to use one of those hosts and only use what you need.
Web Hosting Buzz has a plan for $5.95 (a month) which has unlimited databases, 400GB storage, and 500GB/Month data transfer.
A few weeks after the question was posted, Amazon announced a beta of "Amazon Relational Database Service (Amazon RDS)." It acts like MySQL 5.1.
http://aws.amazon.com/rds/
Seems pricey for what you want, but you never said you were the one who would be paying the bill.
Contract a dedicated server.
Use it only to host your MySQL database
If the server is managed, they should help you with basic MySQL problems as it is usually preinstalled. I use http://www.hostingmatters.com/
If you are just needing this for developement purposes for PHP + MySQL why not just install EasyPHP (http://www.easyphp.org/). This installs quickly and easily and I think it's great for developement.
I've had no problems installing additional PEAR extensions and such after the fact with this.
There's a free option on Heroku and paid options up from there: https://addons.heroku.com/cleardb
You can try freemysqlhosting.
http://freemysqlhosting.net/