URN Logo
UNIX Resources » Linux » Linux Forum » Linux Security » Page.21 » MySQL Security Risk?
announcement The content of this page is collected from Linux Forum, All copyrights and other associated rights are reserved by the original authors of the articles.
Resources
China Linux Forum(finished)
Linux Forum(finished)
FreeBSD China(finished)
linuxforum.com
  LinuxForum General Chat
  Linux Advocacy
  LinuxForum Polls
  Introductions
  Linux Kernel Support
  Patch Management
  Development Release
  Linux Programming
  Linux Security
  Linux Software
  Linux Hardware Problems
    Linux Video Problems
    Linux Sound Problems
  Linux Networking Support
  Linux Printing Support
  Linux Human Interface Devices Support
  Linux Data Storage Support
  Linux Applications Support
  Linux Installation Support
  Linux Laptops Support
  Linux Motherboard, Chipsets, CPU, Memory
  Miscellaneous
  Debian Linux Support
  Ubuntu Linux Support
  LiveCD Discussions
  Gentoo Linux Support
  Mandrake Linux Support
  Redhat / Fedora Linux Support
  Slackware Linux Support
  SuSE Linux Support
  CentOS Linux Support
  Linux Web Servers
  Linux DNS Servers
  Linux Database Servers
  Linux Email Servers
  Linux FTP Servers
  Linux Squid Proxy Server
  Linux Samba Help
  Linux cPanel Help
  Linux Ensim Help
  Linux Plesk Help
  Linux Webmin / Usermin Help
  Qmail Toaster Help
  Linux Games
  Windows Game Emulation
  Linux Discussions
  General Linux Discussions
  Red Hat Linux Discussions
  More Red Hat Linux Discussions
  Mandrake Linux Discussions
  Slackware Linux Discussions
  SuSE Linux Discussions
  Debian Discussions
  Samba Help
  Linux Security
  Linux Networking
  Gentoo Help
  Operating System Rant Forum
  Hardware Rants
   
MySQL Security Risk?
Subject: MySQL Security Risk?
Author: Neil    Posted: 2004-08-23 15:00:44    Length: 629 byte(s)
[Original] [Print] [Top]
Hi All,

I'd like to install MySQL and PHP onto my server that's hosted in a POP on
the internet.  No i have no firewall on tha machine, but i only have the
SSH, FTP (chrooted, no real users) and APACHE services running.  I trust
these services (rightly or wrongly).

Now MySQL has been around for ages and i was wondering if it is secure
enough to run on an open server? I understand that you can limit access to
users at specific IP addresses, but is this service still vunerable to
attack?

I'd greatly appreciate your views.

Neil

[Original] [Print] [Top]
Subject: MySQL Security Risk?
Author: Peter Hille    Posted: 2004-08-23 17:38:39    Length: 1,868 byte(s)
[Original] [Print] [Top]
On Mon, 23 Aug 2004 21:00:44 +0000, Neil wrote:

Hi Neil,

QUOTE
Hi All,

I'd like to install MySQL and PHP onto my server that's hosted in a POP
on the internet.  No i have no firewall on tha machine, but i only have
the SSH, FTP (chrooted, no real users) and APACHE services running.  I
trust these services (rightly or wrongly).

Now MySQL has been around for ages and i was wondering if it is secure
enough to run on an open server? I understand that you can limit access
to users at specific IP addresses, but is this service still vunerable
to attack?


If you want to use the MySQL server only with the Apache/PHP on the box

and don't need any database connections from other hosts you can
completely disable the MySQL networking features so that the databases can
only be accessed from the box that runs the MySQL server.

QUOTE
I'd greatly appreciate your views.

I have some MySQL/PHP based web applications running on a Debian box for
about two years now and until now nobody who tried to attack it was
successful until now, so IMHO MySQL and PHP are safe enough to use if you
properly configurre them ;-)


QUOTE
Neil

Peter

[Original] [Print] [Top]
Subject: MySQL Security Risk?
Author: Jem Berkes    Posted: 2004-08-23 17:46:56    Length: 598 byte(s)
[Original] [Print] [Top]
QUOTE
have the SSH, FTP (chrooted, no real users) and APACHE services
running.  I trust these services (rightly or wrongly).

Your entire system is only as secure as the weakest link. If you keep all
your server software up to date, you will have no problem.

--
Jem Berkes
http://www.sysdesign.ca/

[Original] [Print] [Top]
Subject: MySQL Security Risk?
Author: Jose Maria Lopez Hernandez    Posted: 2004-08-24 00:30:50    Length: 1,705 byte(s)
[Original] [Print] [Top]
Neil wrote:
QUOTE
Hi All,

I'd like to install MySQL and PHP onto my server that's hosted in a POP on
the internet.  No i have no firewall on tha machine, but i only have the
SSH, FTP (chrooted, no real users) and APACHE services running.  I trust
these services (rightly or wrongly).

Now MySQL has been around for ages and i was wondering if it is secure
enough to run on an open server? I understand that you can limit access to
users at specific IP addresses, but is this service still vunerable to
attack?

I'd greatly appreciate your views.

Neil




In my penetration tests with nessus and some exploits it looks pretty
strong. You should be more worried about Apache, that it's much more
problematic. At least it's my point of view.


--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAŅA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                 -- Jack Kerouac, "On the Road"

[Original] [Print] [Top]
Subject: MySQL Security Risk?
Author: Brian C. Lane    Posted: 2004-08-26 21:02:17    Length: 1,883 byte(s)
[Original] [Print] [Top]
In article [eGBWc.104990$r4.2688081@news-reader.eresmas.com], Jose Maria Lopez Hernandez wrote:
QUOTE
Neil wrote:
Hi All,

I'd like to install MySQL and PHP onto my server that's hosted in a POP on
the internet.  No i have no firewall on tha machine, but i only have the
SSH, FTP (chrooted, no real users) and APACHE services running.  I trust
these services (rightly or wrongly).

Now MySQL has been around for ages and i was wondering if it is secure
enough to run on an open server? I understand that you can limit access to
users at specific IP addresses, but is this service still vunerable to
attack?

I'd greatly appreciate your views.

Neil




In my penetration tests with nessus and some exploits it looks pretty
strong. You should be more worried about Apache, that it's much more
problematic. At least it's my point of view.



MySQL has had some pretty serious security problems in the past (I
seem to remember one where the password checking code used the length of
the supplied password to control the check...)

I would use iptables to block external access to port 3306 and if any
external apps need to access it you can setup a ssh tunnel from the remote
machine so that the connection is protected.

Brian

--
---[Office 73.3F]--[Fridge 38.6F]---[Fozzy 93.5F]--[Coaster 73.2F]---
Linux Software Developer                     http://www.brianlane.com

[Original] [Print] [Top]
Subject: MySQL Security Risk?
Author: Nuno Paquete    Posted: 2004-08-31 10:23:59    Length: 505 byte(s)
[Original] [Print] [Top]
QUOTE
I would use iptables to block external access to port 3306 and if any
external apps need to access it you can setup a ssh tunnel from the remote
machine so that the connection is protected.

Brian


How woul you create a ssh tunnel?
With stunnel?
Using a VPN?

[Original] [Print] [Top]
Subject: MySQL Security Risk?
Author: Tim Haynes    Posted: 2004-08-31 11:47:37    Length: 918 byte(s)
[Original] [Print] [Top]
Nuno Paquete [nmp@ispgaya.pt] writes:

QUOTE
I would use iptables to block external access to port 3306 and if any
external apps need to access it you can setup a ssh tunnel from the remote
machine so that the connection is protected.


How woul you create a ssh tunnel?
With stunnel?
Using a VPN?

Most people would use ssh to create an ssh tunnel.

~Tim
--
   18:47:25 up 14 days,  2:22,  3 users,  load average: 0.65, 0.74, 0.47
piglet@stirfried.vegetable.org.uk |And the wind / And the rain
http://spodzone.org.uk/cesspit/   |Falls around

[Original] [Print] [Top]
Subject: MySQL Security Risk?
Author: Christopher Browne    Posted: 2004-08-31 16:52:54    Length: 622 byte(s)
[Original] [Print] [Top]
Quoth Nuno Paquete [nmp@ispgaya.pt]:
QUOTE
How woul you create a ssh tunnel?
With stunnel?
Using a VPN?

No, I'd use ssh.
--
output = reverse("moc.enworbbc" "@" "enworbbc")
http://cbbrowne.com/info/nonrdbms.html
Anyone who can't laugh at himself is not taking life seriously enough.
-- Larry Wall

[Original] [Print] [Top]
Subject: MySQL Security Risk?
Author: dd    Posted: 2004-09-01 05:13:08    Length: 1,828 byte(s)
[Original] [Print] [Top]
How about locking down mysql to localhost then running PhpMyAdmin

(Allowing clients to use a web interface which connects to locahost )


Brian C. Lane wrote:

QUOTE
In article [eGBWc.104990$r4.2688081@news-reader.eresmas.com], Jose Maria Lopez Hernandez wrote:

Neil wrote:

Hi All,

I'd like to install MySQL and PHP onto my server that's hosted in a POP on
the internet.  No i have no firewall on tha machine, but i only have the
SSH, FTP (chrooted, no real users) and APACHE services running.  I trust
these services (rightly or wrongly).

Now MySQL has been around for ages and i was wondering if it is secure
enough to run on an open server? I understand that you can limit access to
users at specific IP addresses, but is this service still vunerable to
attack?

I'd greatly appreciate your views.

Neil




In my penetration tests with nessus and some exploits it looks pretty
strong. You should be more worried about Apache, that it's much more
problematic. At least it's my point of view.




MySQL has had some pretty serious security problems in the past (I
seem to remember one where the password checking code used the length of
the supplied password to control the check...)

I would use iptables to block external access to port 3306 and if any
external apps need to access it you can setup a ssh tunnel from the remote
machine so that the connection is protected.

Brian


[Original] [Print] [Top]
Subject: MySQL Security Risk?
Author: dd    Posted: 2004-09-01 05:15:49    Length: 1,287 byte(s)
[Original] [Print] [Top]
Neil wrote:
Try runnign mysql bound to locahost

then setup phpMyAdmin so when each use is setup /admin or someting
referes to their own phpMyAdmin that allows them to connect only to
their own database.



The webserver on localmachine queries mysql and returns results to php
perl servlet within the server.This means mysql only runs locally hence
keeps out the globe



QUOTE
Hi All,

I'd like to install MySQL and PHP onto my server that's hosted in a POP on
the internet.  No i have no firewall on tha machine, but i only have the
SSH, FTP (chrooted, no real users) and APACHE services running.  I trust
these services (rightly or wrongly).

Now MySQL has been around for ages and i was wondering if it is secure
enough to run on an open server? I understand that you can limit access to
users at specific IP addresses, but is this service still vunerable to
attack?

I'd greatly appreciate your views.

Neil




[Original] [Print] [Top]
Subject: MySQL Security Risk?
Author: Nuno Paquete    Posted: 2004-09-01 08:01:04    Length: 669 byte(s)
[Original] [Print] [Top]
Christopher Browne wrote:

QUOTE
Quoth Nuno Paquete [nmp@ispgaya.pt]:
How woul you create a ssh tunnel?
With stunnel?
Using a VPN?

No, I'd use ssh.

How do you do it?
You can use Putty to connect securely to the server using SSH protocol, but
how can you create a tunnel that will be used by MySql connections? I mean,
how can you connect to 3306 port within a secure tunnel?

Regards,
Nuno Paquete

[Original] [Print] [Top]
Subject: MySQL Security Risk?
Author: ynotssor    Posted: 2004-09-01 11:35:44    Length: 686 byte(s)
[Original] [Print] [Top]
"Nuno Paquete" [nmp@ispgaya.pt] wrote in message
news:4135d605$0$1830$a729d347@news.telepac.pt

QUOTE
No, I'd use ssh.

How do you do it?
You can use Putty to connect securely to the server using SSH
protocol, but how can you create a tunnel that will be used by MySql
connections? I mean, how can you connect to 3306 port within a secure
tunnel?

-p port

see the man page

--
use hotmail for email replies

[Original] [Print] [Top]
Subject: MySQL Security Risk?
Author: Jose M.Herrera M.    Posted: 2004-09-01 08:53:46    Length: 732 byte(s)
[Original] [Print] [Top]
dd [dd@ndirect.co.uk] wrote:
QUOTE
How about locking down mysql to localhost then running PhpMyAdmin

(Allowing clients to use a web interface which connects to locahost )

For more security, use ssl.

Bye!

--
.............................................
Jose Miguel Herrera M. -   User #246070 counter.li.org
Est.Ing.Civil Informatica - UTFSM
Valparaiso, Chile - http://www.inf.utfsm.cl/~jherrera

[Original] [Print] [Top]
Subject: MySQL Security Risk?
Author: Christopher Browne    Posted: 2004-09-01 16:52:44    Length: 1,353 byte(s)
[Original] [Print] [Top]
After a long battle with technology, Nuno Paquete [nmp@ispgaya.pt], an earthling, wrote:
QUOTE
Christopher Browne wrote:

Quoth Nuno Paquete [nmp@ispgaya.pt]:
How woul you create a ssh tunnel?
With stunnel?
Using a VPN?

No, I'd use ssh.

How do you do it?
You can use Putty to connect securely to the server using SSH protocol, but
how can you create a tunnel that will be used by MySql connections? I mean,
how can you connect to 3306 port within a secure tunnel?

This is well-documented in numerous places including here
[http://www.brandonhutchinson.com/ssh_tunnelling.html]

The relevant SSH options are -L, -R, and possible -f.
--
If this was helpful, [http://svcs.affero.net/rm.php?r=cbbrowne] rate me
http://www3.sympatico.ca/cbbrowne/sap.html
"In most  countries selling harmful  things like drugs  is punishable.
Then how come  people can sell Microsoft software  and go unpunished?"
-- [hasku@rost.abo.fi] Hasse Skrifvars

[Original] [Print] [Top]
« Previous thread
HELP Under Attack
Linux Security
Page. 21
Next thread »
DHS Secretary Ridge Gives the Go Ahead to Linux
     

Copyright © 2007 UNIX Resources Network, All Rights Reserved.      About URN | Privacy & Legal | Help | Contact us
Powered by FreeBSD    webmaster: webmaster@unixresources.net
This page created on 2007-08-01 13:10:45, cost 0.035109996795654 ms.