Securing your database servers from external attacks
- 1. Securing your database servers
from external attacks
Alkin Tezuysal (Sr. Technical
Manager,Percona)
David Busby (Information Security
Architect, Percona)
- 2. 2
Who we are?
David Busby (@icleus)
● Technical Security Evangelist
● Open Source Evangelist
● Certified Information Systems Security Professional
● Assistant Scout Leader
● Assistant Instructor computing for children
● Ju-Jitsu nidan and ex-Instructor
Alkin Tezuysal (@ask_dba)
● Open Source Database Evangelist
● Global Database Operations Expert
● Cloud Infrastructure Architect AWS
● Inspiring Technical and Strategic Leader
● Creative Team Builder
● Speaker, Mentor, and Coach
● Outdoor Enthusiast
- 3. 3
Agenda
● Security Common Sense
● MySQL Security
○ MySQL Passwords
○ MySQL Communication
○ MySQL Encryption
● Security Best Practices
● MySQL Security in Cloud Operators (AWS)
● Q & A
- 5. 5
Security Do’s
● Restrict access to database hosts
○ Not just to the Database service
● Create individual users, use roles MySQL 8.0
● Set a password for all users
● Remove anonymous and obsolete users
● Use up-to-date software
● Review, update, modify security policies as needed
● Always remember to secure internal before blocking
external vulnerabilities
- 6. 6
Password Attacks
● Weak passwords?
● Reusing old passwords?
● Leverage password validation plugin!
● Old version of MySQL those not password feature
rich?
● MySQL unsha1 attack
● MySQL hash cracking OSS (john, hashcat, etc...)
- 7. 7
Network Operations
● All connections must use SSL (or other encryption)
○ Performance impact is minimal versus risks
● Mysql ~>= 5.7 has SSL connection by default
○ Ensure >= 5.7.13
● Network encrypted tunnel options
○ N2N, openvpn (TLS), ssh tunnel, IPSEC,
Links:
https://www.percona.com/blog/2017/06/27/ssl-connections-in-mysql-5-7/
https://www.percona.com/blog/2017/09/19/proxysql-improves-mysql-sslconnections/
http://databaseblog.myname.nl/2017/05/mysql-and-ssltls-performance.html
https://github.com/ntop/n2n
- 8. 8
MySQL Data Encryption
● Disk Volume encryption
○ BitLocker, FileVault2, LUKS, eCryptFS, Veracrypt,
EBS encrypted volumes (please use KMS for
encryption keys!)
● At-rest encryption for InnoDB tablespace
● At-rest encryption for binary logs
Links:
https://dev.mysql.com/doc/refman/5.7/en/faqs-tablespace-encryption.html
https://docs.oracle.com/cd/E17952_01/mysql-5.7-en/innodb-tablespace-encryption.html
https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption.html
- 11. 11
MySQL Variants
● MySQL Community Edition 5.5 -> 8.0
● MySQL Enterprise Edition
● Percona Server 5.5 -> 5.7 -> 8.0
● MariaDB 5.5, 10.X
● Galera, Group Replication/InnoDB Cluster
● X Protocol/mysqlsh (33060) -> 8.0
Links:
https://dev.mysql.com/doc/internals/en/x-protocol.html
https://dev.mysql.com/doc/internals/en/x-protocol-authentication-authentication.html
- 12. 12
MySQL Security by Version
● GRANT (3.23)
● REVOKE (3.23)
● SET PASSWORD (3.23)
● SHOW GRANTS (3.23)
● DROP USER (4.1)
● SHOW PRIVILEGES (4.1)
● CREATE USER (5.0)
● RENAME USER (5.0)
● ALTER USER (5.6)
● SHOW CREATE USER (5.7)
● CREATE ROLE (8.0)
● DROP ROLE (8.0)
● SET ROLE (8.0)
● SET DEFAULT ROLE (8.0)
- 13. 13
Important mysql.user table
< 5.5 host user password
> 5.5 authentication_string
> 5.6 password_expired
> 5.7 account_locked password (removed)
> 8.0 create_role_priv drop_role_priv
- 14. 14
Security Features by MySQL Version
● 5.1 - McAfee Audit plugin
● 5.5 - pluggable authentication (MariaDB 5.2
backport), proxy users, changes in mysql.user
table, client password warning; Enterprise
provided Audit and PAM authentication (present
again in Percona Server for MySQL and
MariaDB Server)
● 5.6 - encrypted client credentials
(mysql_config_editor), sha256_password,
password expiry,
VALIDATE_PASSWORD_STRENGTH(),
--random-passwords (optional random on
install), mysql.user password_expired column;
Enterprise Firewall
● 5.7 - grep for root password on installation,
password expiry every ‘n’ days, user accounts
can be locked/unlocked, mysql_ssl_rsa_setup,
mysql.user.password removed,
super_read_only, at rest tablespace encryption
● 8.0 - roles + mysql.user changes
● Percona Server
○ MySQL 5.5 - extended SHOW GRANTS,
utility user, userstats , Audit Plugin
○ MySQL 5.6 - super_read_only
○ MySQL 5.7 - Vault plugin
- 15. 15
Harden your MySQL Security
● Set a password for ‘root’
● Remove all anonymous users
● Remove ‘test’ database (gone on 8.0)
● Use mysql_secure_installation where possible (5.7)
● Install (and use!) validate_password plugin (>= 5.6)
○ There are methods which circumvent this however ...
■ ... IDENTIFIED BY ‘*ABC...’ (passing the hash, allows using a weak password)
● Ensure Path of Least Privilege
○ Stop using GRANT ALL on *.*...
○ ALL includes: FILE, CREATE_ROUTINE, SUPER,
○ Allowing write on mysql.users can allow injection of credentials that will be
loaded at a later time!
- 17. 17
Pillars of AWS Security
Data Protection Privilege Management
Infrastructure
Management
Detective Controls
Security
- 18. 18
AWS Security Best Practices
● Know shared responsibility model
● Manage AWS Accounts, IAM / MFA Users, Groups, and Roles
● EC2 Topology management
○ VPC
● RDS MySQL
○ RDS
○ AURORA
● AWS Tools
○ CloudTrail
○ CloudWatch
○ Config
- 19. 19
AWS Security Best Practices
● RDS
○ Shared responsibility for container service
● EC2
○ Amazon Machine Images (AMIs)
○ Operating systems • Applications
○ Data in transit
○ Data at rest
○ Data stores
○ Credentials - Key pairs
○ Policies and configuration
- 21. 21
AWS IAM is your friend
● Centrally manage users
● Manage security credentials
○ passwords, access keys, and permissions policies
● Beware of regions, availability zones, endpoints
● AWS API keys require strict protection
○ E.g. code pushed to Github, Bitbucket etc with keys
- 22. 22
In addition to IAM
● AWS Key Management Service
● AWS CloudTrail
○ Audit logging, invaluable to know what occurred and when
● AWS Maice - Data Classification Service
● AWS Trusted Advisor
○ Automated tool to get reports on security groups etc (if you spend enough)
https://aws.amazon.com/premiumsupport/ta-faqs/
- 23. 23
Pre-configure and harden EC2 AMI
● Disable root API access keys and secret key
● Require MFA for all IAM accounts
● Restrict access to instances from limited IP ranges using Security
Groups
● Password protect the .pem file on user machines
● Delete keys from the authorized_keys file on your instances when
someone leaves your organization or no longer requires access
● Rotate credentials (DB, Access Keys)
● Regularly run least privilege checks using IAM user Access Advisor and
IAM user Last Used Access Keys
● Use bastion hosts to enforce control and visibility
- 25. 25
MySQL Data in Transit
● Web Layer
○ Encrypt data in transit using IPSec ESP and/or SSL/TLS
○ Authenticate data integrity using IPSec ESP/AH, and/or SSL/TLS
○ Use IPSec with IKE with pre-shared keys
● Database Layer
○ SSL/TLS is currently supported for connections to Amazon RDS MySQL
○ AWS provides a single self-signed certificate associated with the MySQL
- 26. 26
AWS Trusted Advisory Tool Checks
● Limited access to common administrative ports to only a small subset of
addresses. This includes ports 22 (SSH), 23 (Telnet) 3389 (RDP), and
5500 (VNC).
● Limited access to common database ports. This includes ports 1433
(MSSQL Server), 1434 (MSSQL Monitor), 3306 (MySQL), Oracle
(1521) and 5432 (PostgreSQL).
● IAM is configured to help ensure secure access control of AWS
resources.
● Multi-factor authentication (MFA) token is enabled to provide two-factor
authentication for the root AWS account.
- 27. 27
References and Credits
References:
● AWS Security Best Practices
● AIM Best Practices
● Amazon Virtual Private Cloud
Connectivity Options
● VPC Networking Components
● SSL Connections in MySQL 5.7
● ProxySQL Improves MySQL
SSL Connections
● Everything about MySQL Users
and Logins You Didn’t Know
and Were Afraid to Ask
Credits:
● Colin Charles
● Janos Ruzso
● Tibor Korocz
● Jervin Real
● Daniel van Eeden