{"id":732,"date":"2016-11-01T16:49:06","date_gmt":"2016-11-01T14:49:06","guid":{"rendered":"https:\/\/community.virtono.com\/?p=732"},"modified":"2016-11-01T16:49:06","modified_gmt":"2016-11-01T14:49:06","slug":"hardening-the-defense-of-database-server","status":"publish","type":"post","link":"https:\/\/www.virtono.com\/community\/knowledgebase\/hardening-the-defense-of-database-server\/","title":{"rendered":"Hardening the Defense of Database Server"},"content":{"rendered":"

Importance of Database Security:<\/p>\n

    \n
  1. Databases often store sensitive data<\/li>\n
  2. Incorrect data or loss of data could negatively affect business operations<\/li>\n
  3. Databases can be used as bases to attack other systems from.<\/li>\n<\/ol>\n

     <\/p>\n

    Principles of Finding Holes<\/p>\n

    Don’t believe the documentation<\/p>\n

      \n
    1. Implement your own client<\/li>\n
    2. Debug the system to understand how it works<\/li>\n
    3. Identify communication protocols<\/li>\n
    4. Understand arbitrary code execution bugs<\/li>\n
    5. Write your own “fuzzers”<\/li>\n<\/ol>\n

       <\/p>\n

      Top Six Database Attack* [1] <ul><li>Brute-force (or not) cracking of weak or default usernames\/passwords<\/p>\n

        \n
      1. Privilege escalation<\/li>\n
      2. Exploiting unused and unnecessary database services and functionality<\/li>\n
      3. Targeting unpatched database vulnerabilities<\/li>\n
      4. SQL injection<\/li>\n
      5. Stolen backup (unencrypted) tapes* based on : http:\/\/www.darkreading.com\/security\/encryption\/211201064\/index.html<\/li>\n<\/ol>\n

        Cracking username\/password<\/strong> :Not to change default password is disaster.It is also better to change password periodically<\/p>\n

        Privilege Escalation<\/strong>\u00a0:Give right person right privilege.Avoid giving low-level user all database (even read only access)<\/p>\n

        Exploiting unnecessary service<\/strong>\u00a0:Attacker always find open listener feature.Only install features we need<\/p>\n

        Unpatched database vulnerabilities:<\/strong>Many companies reluctant to patch their database because of availability.Database bugs many times posted in hacker website.Not to install small patch can lead big disaster.<\/p>\n

        Stolen backup (unencrypted) tapes<\/strong>\u00a0:Type of insider or accidental attack.\u00a0<\/a>Encrypt the backup to prevent attack<\/p>\n

        SQL Injection:<\/strong>Old but still widely used attacks.Usually exploit web application weakness.Result of poor practice application development.Use statement binding to filter user input.<\/p>\n

         <\/p>\n

        Oracle’s Perspective<\/strong><\/p>\n

        Oracle TNS Listener<\/p>\n

        1.Set a TNS Listener Password (encrypted) to prevent unauthorized administration of the Listener<\/p>\n

        2.\u00a0Turn on Admin Restrictions to ensure certain commands cannot be called remotely<\/p>\n

        3.\u00a0Turn on TCP Valid Node Checking allow certain hosts to connect to the database server and prevent others
        \n4.\u00a0Turn off XML Database if it is not used<\/p>\n

        5.\u00a0Turn off External Procedures if not required<\/p>\n

        6.\u00a0Encrypt Network Traffic using the Oracle Net Manager tool<\/p>\n

        Accounts<\/strong><\/p>\n

        Lock and Expire Unused Accounts<\/p>\n

        Define a user account naming standard<\/p>\n

        Define and Enforce a Good Password Policy<\/p>\n

        Roles<\/strong><\/p>\n

        Be careful to make new role and give meaningful name<\/p>\n

        All user accounts should be assigned to specific role with minimal privileges<\/p>\n

        Revoke any unnecessary permissions<\/p>\n

        DBA Role<\/strong><\/p>\n

        Enable data protection to prevent users access sensitive tables<\/p>\n

        User secure PL\/SQL coding standard, to ensure developers make secure PL\/SQL programs<\/p>\n

        Perform security audits regularly<\/p>\n

        Before installing database, use checklist of what is needed and what is not<\/p>\n

        Install patching as soon as possible<\/p>\n

         <\/p>\n

        MySQL’s Perspective<\/strong><\/p>\n

        Background<\/strong><\/p>\n

        Since MySQL is open source, find many resources in the Internet to find bugs and patches \uf0a7 Stay tune to MySQL security issue and MySQL update<\/p>\n

        Routine Audit<\/strong><\/p>\n

        Check logs to search common SQL injection<\/p>\n

        Audit the users and check the granted privileges<\/p>\n

        Check the hashing user password to double check password patterns<\/p>\n

        MySQL Users<\/strong><\/p>\n

        Use strong password<\/p>\n

        Rename the root MySQL user to something obscure<\/p>\n

        Restrict MySQL users by IP address and passwords<\/p>\n

        Never give anyone access to the mysql.user table<\/p>\n

        MySQL Configuration<\/strong><\/p>\n

        Enable logging via the –log option<\/p>\n

        Disallow the use of symbolic links<\/p>\n

        Remove the default test database<\/p>\n

        Ensure MySQL traffic is encrypted<\/p>\n

         <\/p>\n

        Operating System<\/strong><\/p>\n

        Turn off unnecessary services or daemons<\/p>\n

        Ensure MySQL data files cannot be read by users other than the root or Administrator account<\/p>\n

        Use a low-privileged MySQL account to run the MySQL daemon<\/p>\n

        Ensure MySQL users cannot access files outside of a limited set of directories<\/p>\n","protected":false},"excerpt":{"rendered":"

        Importance of Database Security: Databases often store sensitive data Incorrect data or loss of data could negatively affect business operations Databases can be used as bases to attack other systems from.   Principles of Finding Holes Don’t believe the documentation Implement your own client Debug the system to understand how<\/p>\n","protected":false},"author":3,"featured_media":733,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[5],"tags":[],"class_list":["post-732","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-knowledgebase"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/network-security1.jpg?fit=1728%2C800&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7ISfL-bO","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":277,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/introduction-to-mysql-and-how-it-works\/","url_meta":{"origin":732,"position":0},"title":"Introduction To MySQL and How It Works","author":"Daniel Draga","date":"August 7, 2016","format":false,"excerpt":"This article is a fraction of a Number of Articles on MySQL, to access them click here. INTRODUCTION Beneath all the cute animations, the smooth transactions, lies the ruins of the backend, and talking about websites, the backend is primarily the database. Ever wondered, how the web sites remember you?\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/mysql_wallpaper_by_milesandryprower-d9o6y9z.png?fit=1024%2C576&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/mysql_wallpaper_by_milesandryprower-d9o6y9z.png?fit=1024%2C576&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/mysql_wallpaper_by_milesandryprower-d9o6y9z.png?fit=1024%2C576&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/mysql_wallpaper_by_milesandryprower-d9o6y9z.png?fit=1024%2C576&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":287,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/mysql-top-10-design-tips\/","url_meta":{"origin":732,"position":1},"title":"MySQL: Top 10 Design Tips","author":"Daniel Draga","date":"August 7, 2016","format":false,"excerpt":"This article is a fraction of a Number of Articles on MySQL, to access them click here. \u00a0\u00a0\u00a0\u00a0\u00a0 1.Understand Your Technology Tools MySQL is great platform to manage your database, and to be able to understand every aspect is not that easy, but the one thing that we can do\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/MySQL_Replication1-2.png?fit=965%2C687&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/MySQL_Replication1-2.png?fit=965%2C687&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/MySQL_Replication1-2.png?fit=965%2C687&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/08\/MySQL_Replication1-2.png?fit=965%2C687&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":1127,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/mongodb\/","url_meta":{"origin":732,"position":2},"title":"MongoDB","author":"Shreyash Sharma","date":"October 17, 2017","format":false,"excerpt":"Series:\u00a0Introduction to the MEAN Stack Part 1: Definition of the MEAN stack Part 2:\u00a0Setup of the MEAN stack Part 3:\u00a0Node.js Part 4:\u00a0npm Part 5:\u00a0Connect Part 6:\u00a0Express Part 7:\u00a0MongoDB Part 8:\u00a0Mongoose Part 9:\u00a0REST Part 10:\u00a0Baucis Part 11:\u00a0Bower Part 12:\u00a0AngularJS Part 13:\u00a0Restangular So far our server has only returned static data: files\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/10\/mongodb-1.jpeg?fit=1040%2C560&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/10\/mongodb-1.jpeg?fit=1040%2C560&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/10\/mongodb-1.jpeg?fit=1040%2C560&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/10\/mongodb-1.jpeg?fit=1040%2C560&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":1033,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/how-to-install-and-configure-mysql-on-opensuse-13-1\/","url_meta":{"origin":732,"position":3},"title":"How To Install and Configure MySQL on openSuSe 13.1","author":"Daniel Draga","date":"September 24, 2017","format":false,"excerpt":"Introduction MYSQL is a software, with MySQL server at its core, and a lot of utility programs, that helps is managing and administration of database. For example, let say you want to create a new database, you send a message to the MySQL server that says, for instance, \u201ccreate a\u2026","rel":"","context":"In "Tutorials"","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/09\/mysql-1.jpg?fit=700%2C256&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/09\/mysql-1.jpg?fit=700%2C256&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/09\/mysql-1.jpg?fit=700%2C256&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/09\/mysql-1.jpg?fit=700%2C256&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":267,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/types-of-servers\/","url_meta":{"origin":732,"position":4},"title":"Types Of Servers","author":"Daniel Draga","date":"July 30, 2016","format":false,"excerpt":"File Servers A file server may be dedicated or non-dedicated. \u00a0A dedicated server is designed specifically for use as a file server\u00a0 not for other database purposes. File servers may also be categorized by the method of access: Internet file servers are frequently accessed by File Transfer Protocol (FTP) or\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic-3.jpg?fit=940%2C500&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic-3.jpg?fit=940%2C500&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic-3.jpg?fit=940%2C500&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic-3.jpg?fit=940%2C500&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":1030,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/how-to-install-and-use-mysql-on-debian-7\/","url_meta":{"origin":732,"position":5},"title":"How To Install and Use MySQL on Debian 7","author":"Daniel Draga","date":"September 24, 2017","format":false,"excerpt":"Introduction MYSQL is a software, with MySQL server at its core, and a lot of utility programs, that helps is managing and administration of database. For example, let's say you want to create a new database, you send a message to the MySQL server that says, for instance, \u201cCreate a\u2026","rel":"","context":"In "Tutorials"","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/09\/mysql-backup.png?fit=394%2C315&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/732","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/comments?post=732"}],"version-history":[{"count":1,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/732\/revisions"}],"predecessor-version":[{"id":734,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/732\/revisions\/734"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/media\/733"}],"wp:attachment":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/media?parent=732"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/categories?post=732"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/tags?post=732"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}