Tag Archives: mysql

commerce geek linux

HOWTO defend databases from SQL attacks with GreenSQL

December 10, 2009 – 5:26 pm

green_logoUPDATE: as if to underscore the importance of this tool and approach, yesterday a story hit about a SQL Injection attack infecting over 132,000 systems in short order.  Net-Security have the full details on this attack, including how it probes the host via JavaScript to check for known vulnerabilities, how it exploits them, and how it ultimately downloads a back-door trojan to get the game going.  It’s really amazing to see how complicated and professional these things have gotten, and just adds to the reasoning that we have to step up to the plate and learn how to better defend against them.

I’ve been privy to some log dumps showing real, and successful, SQL attacks on some MSSQL servers before, and they weren’t pretty.  Of course a SQL injection attack has little to do with the database (well, as long as it’s still SQL based at least (nod to CouchDB and MongoDB)), and more with the code that calls it, and how that code deals with sanitizing inputs.   For this reason MySQL is just as vulnerable, after all, bad code is bad code.  While a client of mine opted for a firewall ‘module’ they had to buy an additional licence for, that set them back many thousands of dollars (annually!) I knew there had to be cheaper/better ways to address this kind of vulnerability.  One way of course is to fix the code, but with legacy sites that no one has touched for years, this may be impractcal (I didn’t say this, I only heard it as reasoning from management), and the other idea is to proxy the SQL and ‘clean’ it before it hits the database.  The advantage of this approach is that it protects against known attacks, as well as unknown attacks, since it limits so much of what an attack is allowed to accomplish when trying to get its’ foot in the door.  This approach is what the folks over at GreenSQL have done, and it’s very impressive.  They sum things up nice and sweet with, “GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. GreenSQL works as a proxy for SQL commands and has built in support for MySQL & PostgreSQL . The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). GreenSQL is distributed under the GPL license.”

This is a preview of HOWTO defend databases from SQL attacks with GreenSQL. Read the full post (987 words, 2 images, estimated 3:57 mins reading time)
Tags , , , , , , , , , | Permalink | Comments (8)
geek howto

HOWTO: configure MySQL's my.cnf file

February 18, 2009 – 1:05 pm

mysql-logoUPDATE: I recently used this MySQL tuner script, I basically went with what it told me, but I’m using a higher query_cache_size than it recommends, basically because I don’t see anything online saying it will hurt things.  So I’m now using the following values on my server:

[mysqld]
user=mysql
bind-address=127.0.0.1
datadir=/var/lib/mysql
pid-file=/var/run/mysqld/mysqld.pid
socket=/var/run/mysql/mysql.sock
port=3306
tmpdir=/tmp
language=/usr/share/mysql/english
skip-external-locking
query_cache_limit=64M
query_cache_size=32M
query_cache_type=1
max_connections=15
max_user_connections=300
interactive_timeout=100
wait_timeout=100
connect_timeout=10
thread_stack=128K
thread_cache_size=128
myisam-recover=BACKUP
key_buffer=64M
join_buffer=1M
max_allowed_packet=32M
table_cache=512M
sort_buffer_size=1M
read_buffer_size=1M
read_rnd_buffer_size=768K
max_connect_errors=10
thread_concurrency=4
myisam_sort_buffer_size=32M
skip-locking
skip-bdb
expire_logs_days=10
max_binlog_size=100M
server-id=1
[mysql.server]
user=mysql
basedir=/usr
[safe_mysqld]
bind-address=127.0.0.1
err-log=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
open_files_limit=8192
SAFE_MYSQLD_OPTIONS=”–defaults-file=/etc/my.cnf –log-slow-queries=/var/log/slow-queries.log”
[mysql]
[isamchk]
key_buffer=64M
sort_buffer=64M
read_buffer=16M
write_buffer=16M
[myisamchk]
key_buffer=64M
sort_buffer=64M
read_buffer=16M
write_buffer=16M
[mysqlhotcopy]
interactive-timeout
max_heap_table_size = 64 M
tmp_table_size = 64 M
!includedir /etc/mysql/conf.d/
This is a preview of HOWTO: configure MySQL's my.cnf file. Read the full post (485 words, 1 image, estimated 1:56 mins reading time)
Tags , , , , , | Permalink | Comments (12)
blah geek travel

Meeting Moore, Internet Archive, PLoS, Flickr in San Francisco

June 28, 2008 – 3:56 am

I’ve gotten my pictures online from my San Francisco trip.  The city was everything I always hoped it would be, and I really loved it there.  I had the opportunity to meet with diverse people that all intersect with various aspects of my job (now being refered to as my career).  From The Moore Foundation (the most amazing workspace I’ve ever seen) that provide us grant money to do our research to other non-profits partners like Internet Archive, The Smithsonian, Califonia Academy of Science, Public Library of Science to some of the folks that run the servers and dream up new ideas at Flickr (they use MySQL shards, Squid and memcached all over the architecture to navigate all that data – so I’m on the right path!)  The best part was meeting more people like me who are learning how to deal with and distribute all of this life data that just increases daily, the fact that I’m using my skills that I learnt by doing things like…running this blog, to do things on such a global level is an honor.  And fun, lots of fun!

Permanent link to this post (188 words, 1 image, estimated 45 secs reading time)
Tags , , , , , , , | Permalink | Comment (0)