I am creating a web service for a small company which will use client authentication and possibly https for a RESTful service. I am asking a very simple question that I hope is not too broad, but I am very new and naive to internet security. What precautions must I take to ensure my data is secure?
To describe my service a bit, users have an account where they place presumably insensitive information and retrieve it from a database using a homemade authentication token I create on successful login with a salted password. I am using an amazon instance where MySQL is local and access is granted remotely to me so I can access it directly from my home. I am using a few php scripts to do my work requesting and adding data and am attempting to protect against injection. I am storing my MySQL credentials in a separate file from the php scripts. I can only ssh into my server with a pem file that I believe is safe.
My biggest fear is that someone will come and delete all of my data. What other precautions must I take? Thanks
If you're using Amazon EC2 then you should make use of their security groups to lock down your MySQL server and ensure that no external access to it is possible.
Application servers have an internal non-routing 10.x type IP that should be used for access control, and any external IPs, like your home network, should be specifically whitelisted if VPN access or SSH tunnelling is not practical, as those two are far easier to secure.
Be absolutely sure that no credentials, configuration files, or keys are stored anywhere in your web root. That is, should you accidentally misconfigure your application server in the worst possible way, with directory indexes turned on and everything, it's not possible to snag anything critical.
You might also want to specifically exclude the downloading of *.inc in case you make a mistake. The idea here is to set up a number of safeguards you'd have to break before things go horribly awry. A single-mistake failure situation is always the result of bad planning.
Above all else, be extremely vigilant about proper SQL escaping to avoid SQL injection bugs as no amount of firewall security on your MySQL server will help you when someone can drive a truck through a mistake in your code and have free reign on the server. It's recommended to thoroughly audit any SQL interfacing code you've written before going live with it.
Be sure to have a proper deployment procedure that uses a version control system. If you ever have an intrusion it's very easy to roll back to a known-good version of the code if you have one. The 1990s style "throw files at server with FTP" deployment approach is hazardous at the best of times and fatal to your business when it goes wrong. Use version control or you're living on borrowed time.
Related
I'm trying to solve the problem described by CWE-798, specifically how to allow my application to authenticate to a database securely. I would like to set a mysql password within mysqld and push that information out to a PHP application server. This entails communicating the new password from mysqld to PHP before a PHP instance attempts to connect to the mysqld.
(I did read through the suggested approaches on mitre.org and have some knowledge of privileged access management - however NONE of the recommendations actually solve the problem).
Unless this is initiated within the mysqld e.g. using its event scheduler, then I need to maintain some sort of script outside MySQL which will need credentials to connect - thus defeating the objective.
My problem is that I don't know how to get MySQL to initiate a client connection to the application to inject the new password; it does not appear to provide a standard function for invoking a URL nor for executing a program.
Is my only option to implement a UDF?
The vulnerability you're describing seems to primarily relate to applications that are in the hands of users that can freely inspect what they've been given, such as might be the case in a desktop application or a mobile app. If you have credentials in there you must take great pains to encrypt them, and then prevent that encryption from being cracked by protecting your key, but seeing as how all of this has to happen on the user's hardware you're fighting a battle you may never win.
This is how the DVD encryption was cracked, the private key for decrypting DVD data was stored in a desktop application and eventually uncovered.
Server-side code has different concerns. Here you want to avoid hard-coding credentials into your application not because you're concerned about hostile users per-se, though that can be an issue, but because you do not ever want your credentials to end up in a version control system.
One way to ensure this never happens is to have the credentials stored in a file external to your application, like a config file that the application can reference. Most frameworks have some kind of configuration file (.yml, .ini, .xml) that define how they connect to the database. This file should be stored on the server and only on the server, not on developer workstations, not in your version control, and especially not somewhere shared.
You can go down the road of using something like Zookeeper to manage your configuration files but the investment of time required makes this a futile exercise unless you're managing hundreds of servers.
So the short answer here is: Don't put your credentials in your code, or store it with your code. Put it in a config file that's kept on the server and the server alone.
I'm setting up an application on Heroku that uses a MySQL database.
The client would like to use a MySQL database that has an explicit whitelist that allows it to connect. However, due to the dynamic IP nature of Heroku, this proves to be quite complex; we have to use an add-on such as QuotaGuard to provide us a static IP in which we can access the database.
This proxy routing is causing issues for us in other places as other services that use dynamic IPs are attempting to access the database and are failing.
My question is the degree of security a whitelist really provides rather than a complex username/password with SSL.
Has anyone had experience with the two and can speak to the advantages disadvantages?
Thanks
Allow me to rephrase your question:
What is the advantage of setting up a complex dynamic IP tracker system vs. simply securing the link?
An IP can be spoofed, by the way, so this solution is not that secure (right, such an attack requires some non-trivial black magic, but is quite feasible in fact).
Configuring MySQL for SSL support is really not that complicated and very well documented.
And if you can't recompile or reconfigure MySQL, you can still establish a simple VPN between your client application and your MySQL server (and only allow connections from this VPN).
Unfortunately, I don't know if your provider allows this level of configuration on your instances.
So if all of the above in not possible, you can still create a random 10000-character long password. Not secure enough for a purist, but I wish the hackers good luck :)
I'm working on an application in VB.NET that has to connect to a MySQL database and FTP. How secure is it if I used it in an application that I gave to other people. E.g. if I was to let other people use this application would they be able to find out the MySQL and FTP connection details through intercepting packets or something like that?
If that's the case how can I work round this? Also, part of my application is an uploader for users to upload files, is FTP secure for that or are there better alternatives ways in doing that? My server is a Windows Server 08 if that makes any difference.
Thanks in advance.
FTP is plaintext. It is very easy to get user names and passwords just by packet sniffing. If the ftp is supposed to be secure rather look ay sftp or ftps solutions. These use SSL type encryption on the network layer. Never ever use a ftp server for sensitive information.
MySQL traffic can also be sniffed though it is considerably harder to reverse engineer the protocol. If data has to flow between client and mysql in a secured fashion you can configure mysql to use SSL certificates to encrypt the information. This will ensure security is of highest standards.
It depends, but as per Accessing SQL Server with Explicit Credentials article and it is applicable to MySql as well:
The recommended method is to store the predetermined user name and
password on the server, and then read it and add it to the connection
string at run time. An advantage of this technique is that your
application can access the database using different credentials under
different circumstances, depending on what it needs to do in the
database.
Security Note Never hard-code credentials as strings into programs in your application. Anyone who can get access to the code
file, even the compiled code, will be able to get at the credentials.
Security Note Always give a predetermined user name the minimal access privileges to a resource. Never use "sa" or any other
administrative-level user name. Always use passwords
Are there any database only hosting services?
I need a MySQL only hosting service but I couldn't find any. All mysql hostings are part of a package e.g. PHP + MySQL.
I need it for development purposes. Having my PHP files somewhere else I can remotely connect to this mysql server and once an application is ready I can put that on a server having both PHP + MYsql. [well, there a some reason to have this kinda setup, if you have something to suggest please do.]
Any suggestion/recommendation if you have used any.
Thanks
The problem with a database-only host would be the security. The database need to be accessed over the Internet, thus username and password to access it are sent over the Internet. Even though you could add encryption and other protection, there's still a risk that the security is breached.
In general, you should never allow direct access to databases over the Internet! It's a real bad practice, which also explains why it's hard to find.
One way to get around such limitation is by building a web service around your database. In this web service you'll add all the functionality that you need to apply on this database, and the web service itself will keep the database itself protected. There would still be a risk that your web service gets compromised but even in that case, the attacker could never do more damage than the specific web service allows.
Such a web service can be created in PHP, although I myself have more experience with doing something similar with .NET and C# on SQL Server...
I think that you can find hosts with MySQL and PHP cheap enough that it would be easiest for you just to use one of those hosts and only use what you need.
Web Hosting Buzz has a plan for $5.95 (a month) which has unlimited databases, 400GB storage, and 500GB/Month data transfer.
A few weeks after the question was posted, Amazon announced a beta of "Amazon Relational Database Service (Amazon RDS)." It acts like MySQL 5.1.
http://aws.amazon.com/rds/
Seems pricey for what you want, but you never said you were the one who would be paying the bill.
Contract a dedicated server.
Use it only to host your MySQL database
If the server is managed, they should help you with basic MySQL problems as it is usually preinstalled. I use http://www.hostingmatters.com/
If you are just needing this for developement purposes for PHP + MySQL why not just install EasyPHP (http://www.easyphp.org/). This installs quickly and easily and I think it's great for developement.
I've had no problems installing additional PEAR extensions and such after the fact with this.
There's a free option on Heroku and paid options up from there: https://addons.heroku.com/cleardb
You can try freemysqlhosting.
http://freemysqlhosting.net/
I'm new to MySQL and I'm using a desktop DB management app called "Querious" to simplify the process while I learn.
I want to work on (mainly just structure & basic population) a database that's hosted elsewhere, but the host won't allow any remote MySQL calls on their server.
What is their reasoning for restricting MySQL calls to localhost only? Is this a security or a performance concern?
This is a security concern. The idea is that if people can't remotely connect, they have to compromise the system. Not just the files that hold the database information.
You may be able to request that just add your IP address to a trusted host file, but I doubt they'll do that either.
It's fairly common practice to not allow remote DB connections
I've run into this problem with GoDaddy where they implement this by default. You can change this, however, by indicating that you want to allow remote access. If you've already created your DB, though, you can't change it, so I would recommend creating a new DB and deleting your other one.
The reason why is for security. If only your app can call your DB, you don't have to worry about other people trying to access it.
Distill,
An improperly-configured MySQL instance is dangerous, whether the user is remote or local. This could allow malicious attackers to cause crashes or remote execution of arbitrary code (i.e., owning the machine).
You can use PuTTY to create a tunnel if it's allowed by the server so that your application traffic goes through ssh and then is forwarded to the correct port on localhost.