Pages

Saturday, March 13, 2010

SQL HARDENING

#start installation by creating a unique, regular group and user account on the operating system, which will be dedicated to the MySQL database:

groupadd mysql
useradd mysql -c "MySQL Server" -d /dev/null -g mysql -s /sbin/nologin


#compiling and installing MySQL in the /usr/local/mysql directory:

./configure --prefix=/usr/local/mysql --with-mysqld-user=mysql --with-unix-socket-path=/tmp/mysql.sock --with-mysqld-ldflags=-all-static
make
su
make install
strip /usr/local/mysql/libexec/mysqld
scripts/mysql_install_db
chown -R root /usr/local/mysql
chown -R mysql /usr/local/mysql/var
chgrp -R mysql /usr/local/mysql

#--with-mysqld-ldflags=-all-static parameter causes the MySQL server to be linked statically which wil simplify the process of chrooting the server

#for installing the software in the /usr/local/mysql directory, run the MySQL daemon with the privileges of the mysql account, and create the mysql.sock socket in the /tmp directory.


#size of the database =medium

cp support-files/my-medium.cnf /etc/my.cnf
chown root:sys /etc/my.cnf
chmod 644 /etc/my.cnf


#start the MySQL server 

/usr/local/mysql/bin/mysqld_safe &


#establishing a connection with the database

/usr/local/mysql/bin/mysql -u root mysql

#Once the connection is successfully established, we can shutdown the database

/usr/local/mysql/bin/mysqladmin -u root shutdown


#securing MySQL is to prepare the chrooted environment, in which the MySQL server will run 


#preparing the chrooted environment

mkdir -p /chroot/mysql/dev
mkdir -p /chroot/mysql/etc
mkdir -p /chroot/mysql/tmp
mkdir -p /chroot/mysql/var/tmp
mkdir -p /chroot/mysql/usr/local/mysql/libexec
mkdir -p /chroot/mysql/usr/local/mysql/share/mysql/english


#access rights to the above directories 

chown -R root:sys /chroot/mysql
chmod -R 755 /chroot/mysql
chmod 1777 /chroot/mysql/tmp


#Next, the following files have to be copied into the new directory structure:

cp /usr/local/mysql/libexec/mysqld /chroot/mysql/usr/local/mysql/libexec/
cp /usr/local/mysql/share/mysql/english/errmsg.sys /chroot/mysql/usr/local/mysql/share/mysql/english/
cp /etc/hosts /chroot/mysql/etc/
cp /etc/host.conf /chroot/mysql/etc/
cp /etc/resolv.conf /chroot/mysql/etc/
cp /etc/group /chroot/mysql/etc/
cp /etc/master.passwd /chroot/mysql/etc/passwords
cp /etc/my.cnf /chroot/mysql/etc/


#From the files: /chroot/mysql/etc/passwords and /chroot/mysql/etc/group we must remove all the lines except the mysql account and group
#Next, we have to build the password database as follows 

cd /chroot/mysql/etc
pwd_mkdb -d /chroot/mysql/etc passwords
rm -rf /chroot/mysql/etc/master.passwd


#creating a special device file /dev/null:

ls -al /dev/null

mknod /chroot/mysql/dev/null c 2 2
chown root:sys /chroot/mysql/dev/null
chmod 666 /chroot/mysql/dev/null


We must also copy the mysql database, which contains grant tables created during MySQL installation:

cp -R /usr/local/mysql/var/ /chroot/mysql/usr/local/mysql/var
chown -R mysql:mysql /chroot/mysql/usr/local/mysql/var



#test if it runs correctly by executing the following command

chrootuid /chroot/mysql mysql /usr/local/mysql/libexec/mysqld &


#/chroot/mysql/etc/my.cnf for MySQL server and /etc/my.cnf for MySQL tools (mysqladmin, mysql, mysqldump)

#To disable listening on the 3306/tcp port, the following parameter should be added to the [mysqld] section of /chroot/mysql/etc/my.cnf:

skip-networking


#disable the use of
LOAD DATA LOCAL INFILE command 

#For SQL Injection vulnerabilities in PHP applications, the following parameter should be added in the [mysqld] section in /chroot/mysql/etc/my.cnf:

set-variable=local-infile=0

#in the [client] section of /etc/my.cnf

socket = /chroot/mysql/tmp/mysql.sock


#changing the database administrator's password

chrootuid /chroot/mysql mysql /usr/local/mysql/libexec/mysqld &

#and change the administrator's password as follows:

/usr/local/mysql/bin/mysql -u root
mysql> SET PASSWORD FOR root@localhost=PASSWORD('new_password');


#Remove default users/db ,sample database (test) and all accounts except the local root account

mysql> drop database test;
mysql> use mysql;
mysql> delete from db;
mysql> delete from user where not (host="localhost" and user="root");
mysql> flush privileges;


#change the default name of administrator's account (root), to a different one.so it will be difficult to perform brute-force and dictionary attacks on the administrator's password.

mysql> update user set user="mydbadmin" where user="root";
mysql> flush privileges;


#remove the content of the MySQL history file (~/.mysql_history)

cat /dev/null > ~/.mysql_history


#create all databases and accounts which will be used by specific PHP applications.
#should be emphasized that these accounts should have access rights only to the databases which are used by the PHP applications
#should not have any access rights to the
mysql database administrative privileges (FILE, GRANT, ALTER, SHOW DATABASE, RELOAD, SHUTDOWN, PROCESS, SUPER)


No comments: