HOWTO defend databases from SQL attacks with GreenSQL
UPDATE: as if to underscore the importance of this tool and approach, yesterday a story hit about a SQL Injection attack infecting over 132,000 systems in short order. Net-Security have the full details on this attack, including how it probes the host via JavaScript to check for known vulnerabilities, how it exploits them, and how it ultimately downloads a back-door trojan to get the game going. It’s really amazing to see how complicated and professional these things have gotten, and just adds to the reasoning that we have to step up to the plate and learn how to better defend against them.
I’ve been privy to some log dumps showing real, and successful, SQL attacks on some MSSQL servers before, and they weren’t pretty. Of course a SQL injection attack has little to do with the database (well, as long as it’s still SQL based at least (nod to CouchDB and MongoDB)), and more with the code that calls it, and how that code deals with sanitizing inputs. For this reason MySQL is just as vulnerable, after all, bad code is bad code. While a client of mine opted for a firewall ‘module’ they had to buy an additional licence for, that set them back many thousands of dollars, I knew there had to be cheaper/better ways to address this kind of vulnerability. One way of course is to fix the code, but with legacy sites that no one has touched for years, this may be impractcal (I didn’t say this, I only heard it), and the other idea is to proxy the SQL and ‘clean’ it before it hits the database. The advantage of this approach is that it protects against known attacks, as well as unknown attacks, since it limits so much of what an attack is allowed to accomplish when trying to get its’ foot in the door. This approach is what the folks over at GreenSQL have done, and it’s very impressive. They sum things up nice and sweet with, “GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. GreenSQL works as a proxy for SQL commands and has built in support for MySQL & PostgreSQL . The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). GreenSQL is distributed under the GPL license.” (more…)
HOWTO: configure MySQL’s my.cnf file
UPDATE: I recently used this MySQL tuner script, I basically went with what it told me, but I’m using a higher query_cache_size than it recommends, basically because I don’t see anything online saying it will hurt things. So I’m now using the following values on my server:
[mysqld] user=mysql bind-address=127.0.0.1 datadir=/var/lib/mysql pid-file=/var/run/mysqld/mysqld.pid socket=/var/run/mysql/mysql.sock port=3306 tmpdir=/tmp language=/usr/share/mysql/english skip-external-locking query_cache_limit=64M query_cache_size=32M query_cache_type=1 max_connections=15 max_user_connections=300 interactive_timeout=100 wait_timeout=100 connect_timeout=10 thread_stack=128K thread_cache_size=128 myisam-recover=BACKUP key_buffer=64M join_buffer=1M max_allowed_packet=32M table_cache=512M sort_buffer_size=1M read_buffer_size=1M read_rnd_buffer_size=768K max_connect_errors=10 thread_concurrency=4 myisam_sort_buffer_size=32M skip-locking skip-bdb expire_logs_days=10 max_binlog_size=100M server-id=1 [mysql.server] user=mysql basedir=/usr [safe_mysqld] bind-address=127.0.0.1 err-log=/var/log/mysqld.log pid-file=/var/run/mysqld/mysqld.pid open_files_limit=8192 SAFE_MYSQLD_OPTIONS=”–defaults-file=/etc/my.cnf –log-slow-queries=/var/log/slow-queries.log” [mysql] [isamchk] key_buffer=64M sort_buffer=64M read_buffer=16M write_buffer=16M [myisamchk] key_buffer=64M sort_buffer=64M read_buffer=16M write_buffer=16M [mysqlhotcopy] interactive-timeout max_heap_table_size = 64 M tmp_table_size = 64 M !includedir /etc/mysql/conf.d/
Off we go…
Image via Wikipedia
Heading out today for Woods Hole, MA – it’s supposed to be beautiful (expect pictures on my grossly underused flickr account). I’m representing the Biodiversity Heritage Library in a meeting with the Encyclopedia of Life folks as we discuss standardizing data streams for upcoming sharing of data. It may not sound like it, but this is fun. While I’m on more of the technical end of the spectrum, the way these things will be shared/directed/pushed along the wire is where I’ll come in and I’m very interested in their efforts and methods, so I expect to learn a ton. For more info on EOL and what they’re working towards, check the links to some articles below. (that Zemanta feature is pretty slick)
Hi, I'm fak3r and I've been online for over 15 years, blogging for 10. I work with open source software, various hardware and whatever else that I can hack on. I enjoy learning by doing, painting infrequently and listening to more music than the law allows. Feel free to follow me and comment on my thoughts and ideas; we're all in it together kid.
