Re: [SLE] Apache/MySQL/PHP Blues

• Previous message: Clayton: "Re: [SLE] usb port under VMWare don't run"
• In reply to: columbo_at_wowway.com: "[SLE] Apache/MySQL/PHP Blues"
• Next in thread: columbo_at_wowway.com: "Re: [SLE] Apache/MySQL/PHP Blues"
• Reply: columbo_at_wowway.com: "Re: [SLE] Apache/MySQL/PHP Blues"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: suse-linux-e@suse.com
Date: Fri, 11 Mar 2005 09:26:16 +0100

columbo@wowway.com wrote on 10/03/2005 18.27.05:

>
> On my Suse 9.2 box I've successfully setup an HTML server using Apache
> 2.0.50, MySQL 4.0.21 using PHP 4.3.8. I'd like to administer MySQL
> using phpMyAdmin locally or remotely. I printed out reams of
> information a few weeks ago from the 'net as an aid to setting things
> up as securely as possible but became totally confused as to the
> privileges of the system users relative to each package. It's a little
> bit disconcerting when you can remotely access your database with full
> privileges as an anonymous user. :>
>

The urgent things you need to do is to "harden" your mysql setup. Please
find below my "policy" when I setup a mysql server (taken from various
document/article I found "googling" and put together)

1) Change admin password

MySQL root's account must be protected by a hard to guess password and for
this reason one of the most important steps in securing MySQL is changing
the database administrator's password, which is empty by default.

mysql> SET PASSWORD FOR root@localhost=PASSWORD('new_password');

SET PASSWORD FOR root@localhost=PASSWORD('merlin0');

It is good practice not to change passwords from the command line, for
example, by using the "mysqladmin password" command. This is especially
important when other users work on the server. In that case the password
could be easily revealed, e.g. by using the "ps aux" command or reviewing
history files (~/.history, ~/.bash_history etc), when improper access
rights are set to them.

The grant tables define the initial MySQL user accounts and their access
privileges. These accounts are set up as follows:
Two accounts are created with a username of root. These are superuser
accounts that can do anything. The initial root account passwords are
empty, so anyone can connect to the MySQL server as root without a
password and be granted all privileges. On Unix, both root accounts are
for connections from the local host. Connections must be made from the
local host by specifying a hostname of localhost for one account, or the
actual hostname or IP number for the other.
Two anonymous-user accounts are created, each with an empty username. The
anonymous accounts have no passwords, so anyone can use them to connect to
the MySQL server and both anonymous accounts are for connections from the
local host. Connections must be made from the local host by specifying a
hostname of localhost for one account, or the actual hostname or IP number
for the other. These accounts have all privileges for the test database or
other databases with names that start with test_.
As noted, none of the initial accounts have passwords.
2) Disable remote access

The first change applies to the 3306/tcp port, on which MySQL listens by
default. Because, according to the initial assumptions, the database will
be used only by locally installed PHP applications, we can freely disable
listening on that port. This will limit possibilities of attacking the
MySQL database by direct TCP/IP connections from other hosts. Local
communication will be still possible throw the mysql.sock socket. In order
to disable listening on the mentioned port, the following parameter should
be added to the [mysqld] section of /etc/my.cnf: skip-networking
3) Improve local security

The next change is to disable the use of LOAD DATA LOCAL INFILE command,
which will help to prevent against unauthorized reading from local files.
This matters especially when new SQL Injection vulnerabilities in PHP
applications are found.
For that purpose, the following parameter should be added in the [mysqld]
section in /etc/my.cnf:

set-variable=local-infile=0
see http://dev.mysql.com/doc/mysql/en/LOAD_DATA_LOCAL.html for more
information

4) Change admin name

It is also recommended to change the default name of administrator's
account (root), to a different, harder to guess one. Such a change will
make it difficult to perform brute-force and dictionary attacks on the
administrator's password. In this case the intruder will have to guess not
only the password, but first and foremost, the name of the administrator's
account.
mysql> update user set user="mydbadmin" where user="root";
mysql> flush privileges;

5) Anonymous access to the database (by using the nobody account)
must be disabled and all sample databases and tables must be removed

We must remove the sample database (test) and all accounts except the
local root account:

 mysql> drop database test;
 mysql> use mysql;
 mysql> delete from db;
 mysql> delete from user where (host="localhost" and user="root");
 mysql> flush privileges;

This will prevent the database from establishing anonymous connections and
-- irrespective of the skip-networking parameter in /etc/my.cnf -- remote
connections as well.

6) Remove history

Finally, we should also remove the content of the MySQL history file
(~/.mysql_history), in which all executed SQL commands are being stored
(especially passwords, which are stored as plain text):
cat /dev/null > ~/.mysql_history

Flush privileges

regards,

gaël

-- 
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@suse.com
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@suse.com

• Previous message: Clayton: "Re: [SLE] usb port under VMWare don't run"
• In reply to: columbo_at_wowway.com: "[SLE] Apache/MySQL/PHP Blues"
• Next in thread: columbo_at_wowway.com: "Re: [SLE] Apache/MySQL/PHP Blues"
• Reply: columbo_at_wowway.com: "Re: [SLE] Apache/MySQL/PHP Blues"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]