MySQL in Linux

Yongyan HuangDepartment of Computer Science Southern Illinois University CarbondaleCarbondale, IL, 62901yyhuang@cs.siu.edu

Outline

• What’s MySQL?• Installation• Post Installation Setup and Testing• Security Issues • Common Security Problems• Conclusion

What’s MySQL?

• The MySQL database server is the world's most popular open source database.

• Over six million installations use MySQL to power high-volume Web sites and other critical business systems — including industry-leaders like The Associated Press, Yahoo, NASA, Sabre Holdings and Suzuki.

What’s MySQL? (Contd.)

• Low Cost• High Speed• Scalability• Reliability .

Installation

• Download Server and Client PackageDownload MySQL server and client fromhttp://dev.mysql.com/downloads/mysql/4.1.htmlMySQL-server-4.1.13-0.i386.rpm

MySQL-client-4.1.13-0.i386.rpm

• Check MD5 checksum

shell>md5sum MySQL-server-4.1.13-0.i386.rpm

shell>md5sum MySQL-client-4.1.13-0.i386.rpm

Installation

• Install MySQL servershell> rpm –i MySQL-server-4.1.13-0.i386.rpm Install MySQL clientshell> rpm –i MySQL-client-4.1.13-0.i386.rpm

• By default, the log and database file would be installed at /var/lib/mysql. The client programs and scripts would be installed at /usr/bin. The mysqldserver would be installed at /usr/sbin.

Start the MySQL Server

• check if the server is running Shell> ps –el | grep mysqld

• Start mysql manuallyShell> /etc/rc.d/init.d/mysql start

Post Installation Setup and Testing

• Root users: superuser accounts that can do anything. The initial root account passwords are empty, so anyone can connect to the MySQL server as root without a password and be granted all privileges.

• Default users: a kind of empty username. They have no passwords, so anyone can use them to connect to the MySQL server.

Post Installation Setup and Testing (Contd.)

• Set Password For Root User shell:> mysql -u root mysqlmysql>update user set

password=password(‘cs591’)where user='root';

Post Installation Setup and Testing (Contd.)

• [root@localhost ~]# mysql -u root -p• Enter password:• Welcome to the MySQL monitor. Commands end with ; or \g.• Your MySQL connection id is 6 to server version: 4.1.13-standard• Type 'help;' or '\h' for help. Type '\c' to clear the buffer.• mysql> • mysql> select user, host, password from user;• +------+-----------+-------------------------------------------+• | user | host | password |• +------+-----------+-------------------------------------------+• | root | localhost | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |• | | localhost | |• +------+-----------+-------------------------------------------+• 2 rows in set (0.03 sec)

Post Installation Setup and Testing (Contd.)• Delete The Default User:

mysql>delete from userwhere host='localhost' and user='' and password='';

• mysql> select user, host, password from user;• +------+-----------+-------------------------------------------+• | user | host | password |• +------+-----------+-------------------------------------------+• | root | localhost | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B

|• +------+-----------+-------------------------------------------+• 1 row in set (0.00 sec)

Post Installation Setup and Testing (Contd.)• Add new user

mysql> insert into user (host, user, password) values ('localhost', 'test1', password('test1pw'));

• mysql> select user, host, password from mysql.user;• +-------+-----------+-------------------------------------------+• | user | host | password |• +-------+-----------+-------------------------------------------+• | root | localhost | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |• | test1 | localhost | *29D25F1800631E6537F85FBF1D8B96965C7706F0 |• +-------+-----------+-------------------------------------------+• 2 rows in set (0.00 sec)

Post Installation Setup and Testing (Contd.)Tips:

Each time you modify the users’ information with the command “delete, update, insert” ; you should restart your mysql server to make your configuration to be effective or reload the grant tables manually, issue a FLUSH PRIVILEGES statement or execute a mysqladmin flush-privileges or mysqladmin reload command.pay attention to the column “host” and change it if needed. If it is “localhost”, this user can only visit server in local machine. If the user wants to connect to server from machine “131.230.133.142”(subnet mask:255.255.255.0), then the value of the host should be changed to ‘131.230.133.142/255.255.255.0’.

Security Issues1) Security of the initial user accounts

Including set password for root user and delete the default user or set password for the default user.

2) Security on the password use function password() to encrypt the password

mysql> update user set password=password('new-password') where user ='username' and

host= 'hostname';then the password stored in the user table would

become something like ‘*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B ’

Security Issues3）Security on the user privilege• Grant <privilege> on <object> to <user> [identified

by user password] [with grant]mysql> GRANT all ON *.* TO admin IDENTIFIED BY

'cs591.user' ;• Give some restriction on single user

mysql> GRANT Select ON customer.* TO adminIDENTIFIED BY PASSWORD 'cs591.user’WITH MAX_QUERIES_PER_HOUR 20

MAX_UPDATES_PER_HOUR 10MAX_CONNECTIONS_PER_HOUR 5;

• Revoke <privilege> on <object> from <user>mysql> revoke insert on student.* from admin;

Security Issues4) Security of the grant tables• There are currently 5 tables that provide access control; the

user, db, host, tables_priv and columns_priv tables. These tables all vary slightly in purpose, yet all serve the same function which is to verify that the user is doing what the user is allowed to do.

• For example, user table determines whether or not the connecting user is allowed to connect to the server. Assuming the connection is allowable, the privilege fields contain the user's global privileges. So do not ever give anyone (except MySQL root accounts) access to the user table in the mysql database!

Security Issues5) Using secure connections (e.g. SSL, SSH)

Do not transmit plain (unencrypted) data over the Internet. This information is accessible to everyone who has the time and ability to intercept it and use it for their own purposes. Instead, use an encrypted protocol such as SSL or SSH. mysql> SHOW VARIABLES LIKE 'have_openssl';

6) Turn down network if necessary If a database only needs to be accessed locally, TCP networking can be disabled. (/usr/bin/safe_mysqld, start up script)--skip-networking --skip-locking > > $err_log 2> &1 --skip-networking --skip-locking "$@" > > $err_log 2> &1

Security Issues

Security Issues7)Do not trust any data entered by users of your

applicationsSELECT * FROM usertable WHERE ID=234 or 1=1. No matter whether there is a user with ID=23 or not, the server would return all user records in the user table. Because the condition of where would always be true!

This exposes every record and causes excessive server load. This is called SQL Injection attack.

use apostrophes around the numeric constants: SELECT * FROM table WHERE ID='234'. If the user enters extra information, it all becomes part of the string. Select * from usertalbe where ID=‘123 or 1=1’The attacker can not get anything.

Common Security Issues1. Do not store any plain-text passwords in your database. If

your computer becomes compromised, the intruder can take the full list of passwords and use them.

2. Do not choose passwords from dictionaries. There are special programs to break them.

3. Use firewall. It can protect your system from attack.MySQL uses port 3306 by default. This port should not be accessible from untrusted hosts.

4. Update your MySQL server when there is new patch. The same principle applies to the other utility packages that may be loaded on your server, such as: SSH, zlib, or wu-ftp.

Conclusion

The installation is very easy, but the security configuration is not. You should take every possibility into account to make sure your database is safe!

•Thank you!

•Questions?