SlideShare a Scribd company logo

Securing your database servers from external attacks

Alkin Tezuysal
Alkin Tezuysal

A critical piece of your infrastructure is the database tier, yet people don't pay enough attention to it judging by how many are bitten via poorly chosen defaults, or just a lack understanding of running a secure database tier. In this talk, I'll focus on MySQL/MariaDB, PostgreSQL and MongoDB, and cover external authentication, auditing, encryption, SSL, firewalls, replication, and more gems from over a decade of consulting in this space from Percona's 4,000+ customers.

Related slideshows

Vitess: Scalable Database Architecture - Kubernetes Community Days Africa Ap...
Vitess: Scalable Database Architecture - Kubernetes Community Days Africa Ap...Vitess: Scalable Database Architecture - Kubernetes Community Days Africa Ap...
Vitess: Scalable Database Architecture - Kubernetes Community Days Africa Ap...
 
Mysql 8 vs Mariadb 10.4 Highload++ 2019
Mysql 8 vs Mariadb 10.4 Highload++ 2019Mysql 8 vs Mariadb 10.4 Highload++ 2019
Mysql 8 vs Mariadb 10.4 Highload++ 2019
 
MySQL Ecosystem in 2020
MySQL Ecosystem in 2020MySQL Ecosystem in 2020
MySQL Ecosystem in 2020
 
1 of 30
Download to read offline
Securing your database servers from external attacks Alkin Tezuysal (Sr. Technical Manager,Percona) David Busby (Information Security Architect, Percona)
2 Who we are? David Busby (@icleus) ● Technical Security Evangelist ● Open Source Evangelist ● Certified Information Systems Security Professional ● Assistant Scout Leader ● Assistant Instructor computing for children ● Ju-Jitsu nidan and ex-Instructor Alkin Tezuysal (@ask_dba) ● Open Source Database Evangelist ● Global Database Operations Expert ● Cloud Infrastructure Architect AWS ● Inspiring Technical and Strategic Leader ● Creative Team Builder ● Speaker, Mentor, and Coach ● Outdoor Enthusiast
3 Agenda ● Security Common Sense ● MySQL Security ○ MySQL Passwords ○ MySQL Communication ○ MySQL Encryption ● Security Best Practices ● MySQL Security in Cloud Operators (AWS) ● Q & A
Database Security Best Practices Apply Common Sense here
5 Security Do’s ● Restrict access to database hosts ○ Not just to the Database service ● Create individual users, use roles MySQL 8.0 ● Set a password for all users ● Remove anonymous and obsolete users ● Use up-to-date software ● Review, update, modify security policies as needed ● Always remember to secure internal before blocking external vulnerabilities
6 Password Attacks ● Weak passwords? ● Reusing old passwords? ● Leverage password validation plugin! ● Old version of MySQL those not password feature rich? ● MySQL unsha1 attack ● MySQL hash cracking OSS (john, hashcat, etc...)
7 Network Operations ● All connections must use SSL (or other encryption) ○ Performance impact is minimal versus risks ● Mysql ~>= 5.7 has SSL connection by default ○ Ensure >= 5.7.13 ● Network encrypted tunnel options ○ N2N, openvpn (TLS), ssh tunnel, IPSEC, Links: https://www.percona.com/blog/2017/06/27/ssl-connections-in-mysql-5-7/ https://www.percona.com/blog/2017/09/19/proxysql-improves-mysql-sslconnections/ http://databaseblog.myname.nl/2017/05/mysql-and-ssltls-performance.html https://github.com/ntop/n2n
8 MySQL Data Encryption ● Disk Volume encryption ○ BitLocker, FileVault2, LUKS, eCryptFS, Veracrypt, EBS encrypted volumes (please use KMS for encryption keys!) ● At-rest encryption for InnoDB tablespace ● At-rest encryption for binary logs Links: https://dev.mysql.com/doc/refman/5.7/en/faqs-tablespace-encryption.html https://docs.oracle.com/cd/E17952_01/mysql-5.7-en/innodb-tablespace-encryption.html https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption.html
9 Connection Overhead https://tinyurl.com/ycldtnpkhttps://tinyurl.com/y7v7jhmo
Security Features by MySQL MySQL variants
11 MySQL Variants ● MySQL Community Edition 5.5 -> 8.0 ● MySQL Enterprise Edition ● Percona Server 5.5 -> 5.7 -> 8.0 ● MariaDB 5.5, 10.X ● Galera, Group Replication/InnoDB Cluster ● X Protocol/mysqlsh (33060) -> 8.0 Links: https://dev.mysql.com/doc/internals/en/x-protocol.html https://dev.mysql.com/doc/internals/en/x-protocol-authentication-authentication.html
12 MySQL Security by Version ● GRANT (3.23) ● REVOKE (3.23) ● SET PASSWORD (3.23) ● SHOW GRANTS (3.23) ● DROP USER (4.1) ● SHOW PRIVILEGES (4.1) ● CREATE USER (5.0) ● RENAME USER (5.0) ● ALTER USER (5.6) ● SHOW CREATE USER (5.7) ● CREATE ROLE (8.0) ● DROP ROLE (8.0) ● SET ROLE (8.0) ● SET DEFAULT ROLE (8.0)
13 Important mysql.user table < 5.5 host user password > 5.5 authentication_string > 5.6 password_expired > 5.7 account_locked password (removed) > 8.0 create_role_priv drop_role_priv
14 Security Features by MySQL Version ● 5.1 - McAfee Audit plugin ● 5.5 - pluggable authentication (MariaDB 5.2 backport), proxy users, changes in mysql.user table, client password warning; Enterprise provided Audit and PAM authentication (present again in Percona Server for MySQL and MariaDB Server) ● 5.6 - encrypted client credentials (mysql_config_editor), sha256_password, password expiry, VALIDATE_PASSWORD_STRENGTH(), --random-passwords (optional random on install), mysql.user password_expired column; Enterprise Firewall ● 5.7 - grep for root password on installation, password expiry every ‘n’ days, user accounts can be locked/unlocked, mysql_ssl_rsa_setup, mysql.user.password removed, super_read_only, at rest tablespace encryption ● 8.0 - roles + mysql.user changes ● Percona Server ○ MySQL 5.5 - extended SHOW GRANTS, utility user, userstats , Audit Plugin ○ MySQL 5.6 - super_read_only ○ MySQL 5.7 - Vault plugin
15 Harden your MySQL Security ● Set a password for ‘root’ ● Remove all anonymous users ● Remove ‘test’ database (gone on 8.0) ● Use mysql_secure_installation where possible (5.7) ● Install (and use!) validate_password plugin (>= 5.6) ○ There are methods which circumvent this however ... ■ ... IDENTIFIED BY ‘*ABC...’ (passing the hash, allows using a weak password) ● Ensure Path of Least Privilege ○ Stop using GRANT ALL on *.*... ○ ALL includes: FILE, CREATE_ROUTINE, SUPER, ○ Allowing write on mysql.users can allow injection of credentials that will be loaded at a later time!
MySQL Security in the Cloud AWS Focused
17 Pillars of AWS Security Data Protection Privilege Management Infrastructure Management Detective Controls Security
18 AWS Security Best Practices ● Know shared responsibility model ● Manage AWS Accounts, IAM / MFA Users, Groups, and Roles ● EC2 Topology management ○ VPC ● RDS MySQL ○ RDS ○ AURORA ● AWS Tools ○ CloudTrail ○ CloudWatch ○ Config
19 AWS Security Best Practices ● RDS ○ Shared responsibility for container service ● EC2 ○ Amazon Machine Images (AMIs) ○ Operating systems • Applications ○ Data in transit ○ Data at rest ○ Data stores ○ Credentials - Key pairs ○ Policies and configuration
20 AWS Shared Responsibility Model
21 AWS IAM is your friend ● Centrally manage users ● Manage security credentials ○ passwords, access keys, and permissions policies ● Beware of regions, availability zones, endpoints ● AWS API keys require strict protection ○ E.g. code pushed to Github, Bitbucket etc with keys
22 In addition to IAM ● AWS Key Management Service ● AWS CloudTrail ○ Audit logging, invaluable to know what occurred and when ● AWS Maice - Data Classification Service ● AWS Trusted Advisor ○ Automated tool to get reports on security groups etc (if you spend enough) https://aws.amazon.com/premiumsupport/ta-faqs/
23 Pre-configure and harden EC2 AMI ● Disable root API access keys and secret key ● Require MFA for all IAM accounts ● Restrict access to instances from limited IP ranges using Security Groups ● Password protect the .pem file on user machines ● Delete keys from the authorized_keys file on your instances when someone leaves your organization or no longer requires access ● Rotate credentials (DB, Access Keys) ● Regularly run least privilege checks using IAM user Access Advisor and IAM user Last Used Access Keys ● Use bastion hosts to enforce control and visibility
24 Utilizing AWS VPC
25 MySQL Data in Transit ● Web Layer ○ Encrypt data in transit using IPSec ESP and/or SSL/TLS ○ Authenticate data integrity using IPSec ESP/AH, and/or SSL/TLS ○ Use IPSec with IKE with pre-shared keys ● Database Layer ○ SSL/TLS is currently supported for connections to Amazon RDS MySQL ○ AWS provides a single self-signed certificate associated with the MySQL
26 AWS Trusted Advisory Tool Checks ● Limited access to common administrative ports to only a small subset of addresses. This includes ports 22 (SSH), 23 (Telnet) 3389 (RDP), and 5500 (VNC). ● Limited access to common database ports. This includes ports 1433 (MSSQL Server), 1434 (MSSQL Monitor), 3306 (MySQL), Oracle (1521) and 5432 (PostgreSQL). ● IAM is configured to help ensure secure access control of AWS resources. ● Multi-factor authentication (MFA) token is enabled to provide two-factor authentication for the root AWS account.
27 References and Credits References: ● AWS Security Best Practices ● AIM Best Practices ● Amazon Virtual Private Cloud Connectivity Options ● VPC Networking Components ● SSL Connections in MySQL 5.7 ● ProxySQL Improves MySQL SSL Connections ● Everything about MySQL Users and Logins You Didn’t Know and Were Afraid to Ask Credits: ● Colin Charles ● Janos Ruzso ● Tibor Korocz ● Jervin Real ● Daniel van Eeden
Questions and Answer
29 Thank You Sponsors!!
30 Rate My Session

More Related Content

Securing your database servers from external attacks

  • 1. Securing your database servers from external attacks Alkin Tezuysal (Sr. Technical Manager,Percona) David Busby (Information Security Architect, Percona)
  • 2. 2 Who we are? David Busby (@icleus) ● Technical Security Evangelist ● Open Source Evangelist ● Certified Information Systems Security Professional ● Assistant Scout Leader ● Assistant Instructor computing for children ● Ju-Jitsu nidan and ex-Instructor Alkin Tezuysal (@ask_dba) ● Open Source Database Evangelist ● Global Database Operations Expert ● Cloud Infrastructure Architect AWS ● Inspiring Technical and Strategic Leader ● Creative Team Builder ● Speaker, Mentor, and Coach ● Outdoor Enthusiast
  • 3. 3 Agenda ● Security Common Sense ● MySQL Security ○ MySQL Passwords ○ MySQL Communication ○ MySQL Encryption ● Security Best Practices ● MySQL Security in Cloud Operators (AWS) ● Q & A
  • 4. Database Security Best Practices Apply Common Sense here
  • 5. 5 Security Do’s ● Restrict access to database hosts ○ Not just to the Database service ● Create individual users, use roles MySQL 8.0 ● Set a password for all users ● Remove anonymous and obsolete users ● Use up-to-date software ● Review, update, modify security policies as needed ● Always remember to secure internal before blocking external vulnerabilities
  • 6. 6 Password Attacks ● Weak passwords? ● Reusing old passwords? ● Leverage password validation plugin! ● Old version of MySQL those not password feature rich? ● MySQL unsha1 attack ● MySQL hash cracking OSS (john, hashcat, etc...)
  • 7. 7 Network Operations ● All connections must use SSL (or other encryption) ○ Performance impact is minimal versus risks ● Mysql ~>= 5.7 has SSL connection by default ○ Ensure >= 5.7.13 ● Network encrypted tunnel options ○ N2N, openvpn (TLS), ssh tunnel, IPSEC, Links: https://www.percona.com/blog/2017/06/27/ssl-connections-in-mysql-5-7/ https://www.percona.com/blog/2017/09/19/proxysql-improves-mysql-sslconnections/ http://databaseblog.myname.nl/2017/05/mysql-and-ssltls-performance.html https://github.com/ntop/n2n
  • 8. 8 MySQL Data Encryption ● Disk Volume encryption ○ BitLocker, FileVault2, LUKS, eCryptFS, Veracrypt, EBS encrypted volumes (please use KMS for encryption keys!) ● At-rest encryption for InnoDB tablespace ● At-rest encryption for binary logs Links: https://dev.mysql.com/doc/refman/5.7/en/faqs-tablespace-encryption.html https://docs.oracle.com/cd/E17952_01/mysql-5.7-en/innodb-tablespace-encryption.html https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption.html
  • 10. Security Features by MySQL MySQL variants
  • 11. 11 MySQL Variants ● MySQL Community Edition 5.5 -> 8.0 ● MySQL Enterprise Edition ● Percona Server 5.5 -> 5.7 -> 8.0 ● MariaDB 5.5, 10.X ● Galera, Group Replication/InnoDB Cluster ● X Protocol/mysqlsh (33060) -> 8.0 Links: https://dev.mysql.com/doc/internals/en/x-protocol.html https://dev.mysql.com/doc/internals/en/x-protocol-authentication-authentication.html
  • 12. 12 MySQL Security by Version ● GRANT (3.23) ● REVOKE (3.23) ● SET PASSWORD (3.23) ● SHOW GRANTS (3.23) ● DROP USER (4.1) ● SHOW PRIVILEGES (4.1) ● CREATE USER (5.0) ● RENAME USER (5.0) ● ALTER USER (5.6) ● SHOW CREATE USER (5.7) ● CREATE ROLE (8.0) ● DROP ROLE (8.0) ● SET ROLE (8.0) ● SET DEFAULT ROLE (8.0)
  • 13. 13 Important mysql.user table < 5.5 host user password > 5.5 authentication_string > 5.6 password_expired > 5.7 account_locked password (removed) > 8.0 create_role_priv drop_role_priv
  • 14. 14 Security Features by MySQL Version ● 5.1 - McAfee Audit plugin ● 5.5 - pluggable authentication (MariaDB 5.2 backport), proxy users, changes in mysql.user table, client password warning; Enterprise provided Audit and PAM authentication (present again in Percona Server for MySQL and MariaDB Server) ● 5.6 - encrypted client credentials (mysql_config_editor), sha256_password, password expiry, VALIDATE_PASSWORD_STRENGTH(), --random-passwords (optional random on install), mysql.user password_expired column; Enterprise Firewall ● 5.7 - grep for root password on installation, password expiry every ‘n’ days, user accounts can be locked/unlocked, mysql_ssl_rsa_setup, mysql.user.password removed, super_read_only, at rest tablespace encryption ● 8.0 - roles + mysql.user changes ● Percona Server ○ MySQL 5.5 - extended SHOW GRANTS, utility user, userstats , Audit Plugin ○ MySQL 5.6 - super_read_only ○ MySQL 5.7 - Vault plugin
  • 15. 15 Harden your MySQL Security ● Set a password for ‘root’ ● Remove all anonymous users ● Remove ‘test’ database (gone on 8.0) ● Use mysql_secure_installation where possible (5.7) ● Install (and use!) validate_password plugin (>= 5.6) ○ There are methods which circumvent this however ... ■ ... IDENTIFIED BY ‘*ABC...’ (passing the hash, allows using a weak password) ● Ensure Path of Least Privilege ○ Stop using GRANT ALL on *.*... ○ ALL includes: FILE, CREATE_ROUTINE, SUPER, ○ Allowing write on mysql.users can allow injection of credentials that will be loaded at a later time!
  • 16. MySQL Security in the Cloud AWS Focused
  • 17. 17 Pillars of AWS Security Data Protection Privilege Management Infrastructure Management Detective Controls Security
  • 18. 18 AWS Security Best Practices ● Know shared responsibility model ● Manage AWS Accounts, IAM / MFA Users, Groups, and Roles ● EC2 Topology management ○ VPC ● RDS MySQL ○ RDS ○ AURORA ● AWS Tools ○ CloudTrail ○ CloudWatch ○ Config
  • 19. 19 AWS Security Best Practices ● RDS ○ Shared responsibility for container service ● EC2 ○ Amazon Machine Images (AMIs) ○ Operating systems • Applications ○ Data in transit ○ Data at rest ○ Data stores ○ Credentials - Key pairs ○ Policies and configuration
  • 21. 21 AWS IAM is your friend ● Centrally manage users ● Manage security credentials ○ passwords, access keys, and permissions policies ● Beware of regions, availability zones, endpoints ● AWS API keys require strict protection ○ E.g. code pushed to Github, Bitbucket etc with keys
  • 22. 22 In addition to IAM ● AWS Key Management Service ● AWS CloudTrail ○ Audit logging, invaluable to know what occurred and when ● AWS Maice - Data Classification Service ● AWS Trusted Advisor ○ Automated tool to get reports on security groups etc (if you spend enough) https://aws.amazon.com/premiumsupport/ta-faqs/
  • 23. 23 Pre-configure and harden EC2 AMI ● Disable root API access keys and secret key ● Require MFA for all IAM accounts ● Restrict access to instances from limited IP ranges using Security Groups ● Password protect the .pem file on user machines ● Delete keys from the authorized_keys file on your instances when someone leaves your organization or no longer requires access ● Rotate credentials (DB, Access Keys) ● Regularly run least privilege checks using IAM user Access Advisor and IAM user Last Used Access Keys ● Use bastion hosts to enforce control and visibility
  • 25. 25 MySQL Data in Transit ● Web Layer ○ Encrypt data in transit using IPSec ESP and/or SSL/TLS ○ Authenticate data integrity using IPSec ESP/AH, and/or SSL/TLS ○ Use IPSec with IKE with pre-shared keys ● Database Layer ○ SSL/TLS is currently supported for connections to Amazon RDS MySQL ○ AWS provides a single self-signed certificate associated with the MySQL
  • 26. 26 AWS Trusted Advisory Tool Checks ● Limited access to common administrative ports to only a small subset of addresses. This includes ports 22 (SSH), 23 (Telnet) 3389 (RDP), and 5500 (VNC). ● Limited access to common database ports. This includes ports 1433 (MSSQL Server), 1434 (MSSQL Monitor), 3306 (MySQL), Oracle (1521) and 5432 (PostgreSQL). ● IAM is configured to help ensure secure access control of AWS resources. ● Multi-factor authentication (MFA) token is enabled to provide two-factor authentication for the root AWS account.
  • 27. 27 References and Credits References: ● AWS Security Best Practices ● AIM Best Practices ● Amazon Virtual Private Cloud Connectivity Options ● VPC Networking Components ● SSL Connections in MySQL 5.7 ● ProxySQL Improves MySQL SSL Connections ● Everything about MySQL Users and Logins You Didn’t Know and Were Afraid to Ask Credits: ● Colin Charles ● Janos Ruzso ● Tibor Korocz ● Jervin Real ● Daniel van Eeden