SlideShare a Scribd company logo

Mysqlsecurityoptionsjan2021

S
sepehrdamavandi2

Used in a video presentation for the databases security course in Tarbiat Modares University of tehran , reviewing some security aspects of MySQL rdbms .

Engineering
1 of 32
Download to read offline
Mysql security Presentation Of Tarbiat modares university Database security Classroom presented by: Negar Ghani Sepehr Damavandi professor: Dr.Sadegh Dorri Nogoorani First semester of 2020-2021 January 2021
Mysql Security
General Security Issues
Security Guidelines ● Do not ever give anyone (except MySQL root accounts) access to the user table in the mysql system database! ● Use the GRANT and REVOKE statements to control access to MySQL. Do not grant more privileges than necessary. Never grant privileges to all hosts. ○ Try mysql -u root -h 127.0.0.1 -P 3306 ○ Use the SHOW GRANTS and REVOKE statements
Making MySQL Secure Against Attackers ● When you connect to a MySQL server, you should use a password. The password is not transmitted as cleartext over the connection. ● All other information is transferred as text ● can be read by anyone who is able to watch the connection. ○ use MySQL's internal SSL support. ○ use SSH. ○ ssh ghani@mysql -L 3306:127.0.0.1:3306 -N ○ mysql --host=127.0.0.1 --port=3306 -u user -p
Client Programming Security Guidelines ● Applications that access MySQL should not trust any data entered by users ● If an application generates a query like SELECT * FROM table WHERE ID=234 when a user enters the value 234, the user can enter the value 234 OR 1=1 to cause the application to generate the query SELECT * FROM table WHERE ID=234 OR 1=1. ● the server retrieves every row in the table. ● Correct way: SELECT * FROM table WHERE ID='234'.
Access Control and Account Management
MySQL access control involves two stages when you run a client program that connects to the server: ● Stage 1: The server accepts or rejects the connection based on your identity and whether you can verify your identity by supplying the correct password. ● Stage 2: Assuming that you can connect, the server checks each statement you issue to determine whether you have sufficient privileges to perform it. MySQL Access Control
Account Usernames and Passwords ● MySQL stores accounts in the user table of the mysql system database. ● An account is defined in terms of a user name and the client host or hosts from which the user can connect to the server. ● To authenticate client connections for accounts that use built-in authentication methods, the server uses passwords stored in the user table.
Privileges Provided by MySQL ● Administrative privileges enable users to manage operation of the MySQL server. These privileges are global because they are not specific to a particular database. ● Database privileges apply to a database and to all objects within it. These privileges can be granted for specific databases, or globally so that they apply to all databases. ● Privileges for database objects such as tables, indexes, views, and stored routines can be granted for specific objects within a database, for all objects of a given type within a database (for example, all tables in a database), or globally for all objects of a given type in all databases.
Grant Tables ● The mysql system database includes several grant tables that contain information about user accounts and the privileges held by them ● user: User accounts, static global privileges, and other nonprivilege columns. ● db: Database-level privileges. ● tables_priv: Table-level privileges. ● columns_priv: Column-level privileges. ● default_roles: Default user roles. ● password_history: Password change history.
Specifying Account Names ● MySQL account names consist of a user name and a host name, which enables creation of distinct accounts for users with the same user name who can connect from different hosts. ● Account name syntax is 'user_name'@'host_name'. ● An account name consisting only of a user name is equivalent to 'user_name'@'%'.
Access Control, Stage 1: Connection Verification When you attempt to connect to a MySQL server, the server accepts or rejects the connection based on these conditions: ● Your identity and whether you can verify it by supplying the proper credentials. ● Whether your account is locked or unlocked.
Access Control, Stage 2: Request Verification After the server accepts a connection, it enters Stage 2 of access control. ● For each request that you issue through the connection, the server determines what operation you want to perform, then checks whether your privileges are sufficient. ● This is where the privilege columns in the grant tables come into play. These privileges can come from any of the user, global_grants, db, tables_priv, columns_priv, or procs_priv tables.
Adding Accounts, Assigning Privileges, and Dropping Accounts ● CREATE USER and DROP USER create and remove accounts. ● GRANT and REVOKE assign privileges to and revoke privileges from accounts. ● SHOW GRANTS displays account privilege assignments.
Reserved Accounts During data directory initialization, MySQL creates user accounts that should be considered reserved ● 'root'@'localhost: Used for administrative purposes. This account has all privileges, is a system account, and can perform any operation. ● 'mysql.sys'@'localhost': Used as the DEFINER for sys schema objects. Use of the mysql.sys account avoids problems that occur if a DBA renames or removes the root account. This account is locked so that it cannot be used for client connections.
Reserved Accounts ● 'mysql.session'@'localhost': Used internally by plugins to access the server. This account is locked so that it cannot be used for client connections. The account is a system account. ● 'mysql.infoschema'@'localhost': Used as the DEFINER for INFORMATION_SCHEMA views. Use of the mysql.infoschema account avoids problems that occur if a DBA renames or removes the root account. This account is locked so that it cannot be used for client connections.
Using Roles A MySQL role is a named collection of privileges. Like user accounts, roles can have privileges granted to and revoked from them. ● CREATE ROLE and DROP ROLE create and remove roles. ● GRANT and REVOKE assign privileges to revoke privileges from user accounts and roles. ● SHOW GRANTS displays privilege and role assignments for user accounts and roles. ● SET DEFAULT ROLE specifies which account roles are active by default. ● SET ROLE changes the active roles within the current session. ● The CURRENT_ROLE() function displays the active roles within the current session.
Account Categories System and Regular Accounts ● A user with the SYSTEM_USER privilege is a system user. ○ A system user can modify both system and regular accounts. A system account can be modified only by system users with appropriate privileges, not by regular users. ● A user without the SYSTEM_USER privilege is a regular user. ○ A regular user with appropriate privileges can modify regular accounts, but not system accounts. A regular account can be modified by both system and regular users with appropriate privileges.
Privilege Restriction Using Partial Revokes Prior to MySQL 8.0.16, it is not possible to grant privileges that apply globally except for certain schemas. As of MySQL 8.0.16, that is possible if the partial_revokes system variable is enabled. Specifically, for users who have privileges at the global level, partial_revokes enables privileges for specific schemas to be revoked while leaving the privileges in place for other schemas.
When Privilege Changes Take Effect If the mysqld server is started without the --skip-grant-tables option, it reads all grant table contents into memory during its startup sequence. The in-memory tables become effective for access control at that point. If you modify the grant tables indirectly using an account-management statement, the server notices these changes and loads the grant tables into memory again immediately. ● GRANT, REVOKE, SET PASSWORD, and RENAME USER.
When Privilege Changes Take Effect If you modify the grant tables directly using statements such as INSERT, UPDATE, or DELETE the changes have no effect on privilege checking ● tell the server to reload the tables ○ FLUSH PRIVILEGES statement or mysqladmin flush-privileges or mysqladmin reload ● restart mysql
Password Management ● Password expiration ● Password reuse policy ● Password verification-required policy ● Dual password support ● Random password generation ● Failed-login tracking and temporary account locking
Account resource limits ● We can restrict max user connections globally or restrict certain resources user specifically ○ Number of queries per hour ○ Number of updates per hour ○ Number of times an account can connect to the server per hour ○ Number of simultaneous connections to the server
Security components and plugins
The connection control plugins ● Two plugins : connection_control and and connection_control_failed_login attempts ● Connection_control introduces an increasing delay in server response to connection attempts after a configurable number of consecutive failed attempts ● The other is for keeping track of these audit data ● We use now available(after installation) system variables to config these plugins
The password validation component ● Implements three levels of password checking : LOW , MEDIUM and STRONG ● Low checks the length of password (configurable) ● Medium checks also existence of numeric , lowercase , uppercase and special characters ● Strong checks that password substrings of length 4 or longer must not match words in the dictionary file ● This component implements a SQL function that assesses the strength of password according to set level and configuration
MySQL enterprise firewall ● An application level firewall that enables dba to permit or deny SQL statements based on matching against lists of accepted statement pattens ● Firewall operation is based on a registry of profiles , a profile has these attributes : ○ Rules : defines the acceptable statements (whitelist) ○ Current operational mode : can be OFF , RECORDING , PROTECTING or DETECTING ○ Scope of applicability : indicating which client connections the profile applies to
Firewalls general architecture
Backup and recovery
Backup and recovery types and operations ● Physical(raw) versus logical , Online versus offline , Local versus remote , Full versus incremental ● We can use mysqldump which is a client generating full logical remote online backups ● Mysqldump can backup all or some data bases and we can dump definitions and contents separately ● For incremental backups we should use binary logs that server generates on each restart ● For a full recovery we run the .sql file generated by mysqldump ● For incremental recovery we use mysqlbinlog to transform the binary log files into .sql files and then run them by server .
Thank you , good luck and goodbye ● Sepehr.dmv@gmail.com for contact ● https://dev.mysql.com/doc/refman/8.0/en/ was the source of this presentation , go there for additional documents

Recommended

Introduction to MySQL - Part 1
Introduction to MySQL - Part 1Introduction to MySQL - Part 1
Introduction to MySQL - Part 1webhostingguy
 
State management in ASP .NET
State management in ASP .NETState management in ASP .NET
State management in ASP .NETbaabtra.com - No. 1 supplier of quality freshers
 
Reactive reference architecture
Reactive reference architectureReactive reference architecture
Reactive reference architectureMarkus Jura
 
Servlets lecture1
Servlets lecture1Servlets lecture1
Servlets lecture1Tata Consultancy Services
 
State management
State managementState management
State managementIblesoft
 
Sunserver Open Solaris
Sunserver Open SolarisSunserver Open Solaris
Sunserver Open Solarispankaj009
 
Sql server configuration manager
Sql server configuration managerSql server configuration manager
Sql server configuration managerssuser1eca7d
 
NUS exam 70-432_MVP Choirul Amri
NUS exam 70-432_MVP Choirul AmriNUS exam 70-432_MVP Choirul Amri
NUS exam 70-432_MVP Choirul AmriQuek Lilian
 

Recommended

Introduction to MySQL - Part 1
Introduction to MySQL - Part 1Introduction to MySQL - Part 1
Introduction to MySQL - Part 1webhostingguy
 
State management in ASP .NET
State management in ASP .NETState management in ASP .NET
State management in ASP .NETbaabtra.com - No. 1 supplier of quality freshers
 
Reactive reference architecture
Reactive reference architectureReactive reference architecture
Reactive reference architectureMarkus Jura
 
Servlets lecture1
Servlets lecture1Servlets lecture1
Servlets lecture1Tata Consultancy Services
 
State management
State managementState management
State managementIblesoft
 
Sunserver Open Solaris
Sunserver Open SolarisSunserver Open Solaris
Sunserver Open Solarispankaj009
 
Sql server configuration manager
Sql server configuration managerSql server configuration manager
Sql server configuration managerssuser1eca7d
 
NUS exam 70-432_MVP Choirul Amri
NUS exam 70-432_MVP Choirul AmriNUS exam 70-432_MVP Choirul Amri
NUS exam 70-432_MVP Choirul AmriQuek Lilian
 
Security features In MySQL 8.0
Security features In MySQL 8.0Security features In MySQL 8.0
Security features In MySQL 8.0Mydbops
 
MySQL USER MANAGEMENT,ROUTINES & TRIGGERS.
MySQL USER MANAGEMENT,ROUTINES & TRIGGERS.MySQL USER MANAGEMENT,ROUTINES & TRIGGERS.
MySQL USER MANAGEMENT,ROUTINES & TRIGGERS.Prabhu Raja Singh
 
Geek Sync | SQL Security Principals and Permissions 101
Geek Sync | SQL Security Principals and Permissions 101Geek Sync | SQL Security Principals and Permissions 101
Geek Sync | SQL Security Principals and Permissions 101IDERA Software
 
98_364_Slides_Lesson05.ppt
98_364_Slides_Lesson05.ppt98_364_Slides_Lesson05.ppt
98_364_Slides_Lesson05.pptRahafKhalid14
 
common_schema, DBA's framework for MySQL
common_schema, DBA's framework for MySQLcommon_schema, DBA's framework for MySQL
common_schema, DBA's framework for MySQLShlomi Noach
 
Dealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NETDealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NETFernando G. Guerrero
 
Southeast Linuxfest -- MySQL User Admin Tips & Tricks
Southeast Linuxfest -- MySQL User Admin Tips & TricksSoutheast Linuxfest -- MySQL User Admin Tips & Tricks
Southeast Linuxfest -- MySQL User Admin Tips & TricksDave Stokes
 
Global Azure Bootcamp 2018 - Oh no my organization went Azure
Global Azure Bootcamp 2018 - Oh no my organization went AzureGlobal Azure Bootcamp 2018 - Oh no my organization went Azure
Global Azure Bootcamp 2018 - Oh no my organization went AzureKarim Vaes
 
sql server authentication types by moamen hany
sql server authentication types by moamen hanysql server authentication types by moamen hany
sql server authentication types by moamen hanyMoamen Hany ELNASHAR
 
03_DP_300T00A_Secure_Environment.pptx
03_DP_300T00A_Secure_Environment.pptx03_DP_300T00A_Secure_Environment.pptx
03_DP_300T00A_Secure_Environment.pptxKareemBullard1
 
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...SpanishPASSVC
 
Percona Live 2019 - MySQL Security
Percona Live 2019 - MySQL SecurityPercona Live 2019 - MySQL Security
Percona Live 2019 - MySQL SecurityVinicius M Grippa
 
Brief introduction into SQL injection attack scenarios
Brief introduction into SQL injection attack scenariosBrief introduction into SQL injection attack scenarios
Brief introduction into SQL injection attack scenariosPayampardaz
 
Mysql connection
Mysql connectionMysql connection
Mysql connectionbeben benzy
 
ProxySQL in the Cloud
ProxySQL in the CloudProxySQL in the Cloud
ProxySQL in the CloudRené Cannaò
 
Mysqldbatrainingsession12privilegesinmysql 170302152348
Mysqldbatrainingsession12privilegesinmysql 170302152348Mysqldbatrainingsession12privilegesinmysql 170302152348
Mysqldbatrainingsession12privilegesinmysql 170302152348shubham singh
 
Upgrading to my sql 8.0
Upgrading to my sql 8.0Upgrading to my sql 8.0
Upgrading to my sql 8.0Ståle Deraas
 
SULTHAN's PHP, MySQL & wordpress
SULTHAN's PHP, MySQL & wordpressSULTHAN's PHP, MySQL & wordpress
SULTHAN's PHP, MySQL & wordpressSULTHAN BASHA
 
Lesson 5 security
Lesson 5 securityLesson 5 security
Lesson 5 securityRam Kedem
 
MySQL Security
MySQL SecurityMySQL Security
MySQL SecurityTed Wennmark
 
11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdf11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdfHafizMudaserAhmad
 
Designing pile caps according to ACI 318-19.pptx
Designing pile caps according to ACI 318-19.pptxDesigning pile caps according to ACI 318-19.pptx
Designing pile caps according to ACI 318-19.pptxErbil Polytechnic University
 

More Related Content

Similar to Mysqlsecurityoptionsjan2021

Security features In MySQL 8.0
Security features In MySQL 8.0Security features In MySQL 8.0
Security features In MySQL 8.0Mydbops
 
MySQL USER MANAGEMENT,ROUTINES & TRIGGERS.
MySQL USER MANAGEMENT,ROUTINES & TRIGGERS.MySQL USER MANAGEMENT,ROUTINES & TRIGGERS.
MySQL USER MANAGEMENT,ROUTINES & TRIGGERS.Prabhu Raja Singh
 
Geek Sync | SQL Security Principals and Permissions 101
Geek Sync | SQL Security Principals and Permissions 101Geek Sync | SQL Security Principals and Permissions 101
Geek Sync | SQL Security Principals and Permissions 101IDERA Software
 
98_364_Slides_Lesson05.ppt
98_364_Slides_Lesson05.ppt98_364_Slides_Lesson05.ppt
98_364_Slides_Lesson05.pptRahafKhalid14
 
common_schema, DBA's framework for MySQL
common_schema, DBA's framework for MySQLcommon_schema, DBA's framework for MySQL
common_schema, DBA's framework for MySQLShlomi Noach
 
Dealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NETDealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NETFernando G. Guerrero
 
Southeast Linuxfest -- MySQL User Admin Tips & Tricks
Southeast Linuxfest -- MySQL User Admin Tips & TricksSoutheast Linuxfest -- MySQL User Admin Tips & Tricks
Southeast Linuxfest -- MySQL User Admin Tips & TricksDave Stokes
 
Global Azure Bootcamp 2018 - Oh no my organization went Azure
Global Azure Bootcamp 2018 - Oh no my organization went AzureGlobal Azure Bootcamp 2018 - Oh no my organization went Azure
Global Azure Bootcamp 2018 - Oh no my organization went AzureKarim Vaes
 
sql server authentication types by moamen hany
sql server authentication types by moamen hanysql server authentication types by moamen hany
sql server authentication types by moamen hanyMoamen Hany ELNASHAR
 
03_DP_300T00A_Secure_Environment.pptx
03_DP_300T00A_Secure_Environment.pptx03_DP_300T00A_Secure_Environment.pptx
03_DP_300T00A_Secure_Environment.pptxKareemBullard1
 
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...SpanishPASSVC
 
Percona Live 2019 - MySQL Security
Percona Live 2019 - MySQL SecurityPercona Live 2019 - MySQL Security
Percona Live 2019 - MySQL SecurityVinicius M Grippa
 
Brief introduction into SQL injection attack scenarios
Brief introduction into SQL injection attack scenariosBrief introduction into SQL injection attack scenarios
Brief introduction into SQL injection attack scenariosPayampardaz
 
Mysql connection
Mysql connectionMysql connection
Mysql connectionbeben benzy
 
ProxySQL in the Cloud
ProxySQL in the CloudProxySQL in the Cloud
ProxySQL in the CloudRené Cannaò
 
Mysqldbatrainingsession12privilegesinmysql 170302152348
Mysqldbatrainingsession12privilegesinmysql 170302152348Mysqldbatrainingsession12privilegesinmysql 170302152348
Mysqldbatrainingsession12privilegesinmysql 170302152348shubham singh
 
Upgrading to my sql 8.0
Upgrading to my sql 8.0Upgrading to my sql 8.0
Upgrading to my sql 8.0Ståle Deraas
 
SULTHAN's PHP, MySQL & wordpress
SULTHAN's PHP, MySQL & wordpressSULTHAN's PHP, MySQL & wordpress
SULTHAN's PHP, MySQL & wordpressSULTHAN BASHA
 
Lesson 5 security
Lesson 5 securityLesson 5 security
Lesson 5 securityRam Kedem
 

Similar to Mysqlsecurityoptionsjan2021 (20)

Security features In MySQL 8.0
Security features In MySQL 8.0Security features In MySQL 8.0
Security features In MySQL 8.0
 
MySQL USER MANAGEMENT,ROUTINES & TRIGGERS.
MySQL USER MANAGEMENT,ROUTINES & TRIGGERS.MySQL USER MANAGEMENT,ROUTINES & TRIGGERS.
MySQL USER MANAGEMENT,ROUTINES & TRIGGERS.
 
Geek Sync | SQL Security Principals and Permissions 101
Geek Sync | SQL Security Principals and Permissions 101Geek Sync | SQL Security Principals and Permissions 101
Geek Sync | SQL Security Principals and Permissions 101
 
98_364_Slides_Lesson05.ppt
98_364_Slides_Lesson05.ppt98_364_Slides_Lesson05.ppt
98_364_Slides_Lesson05.ppt
 
common_schema, DBA's framework for MySQL
common_schema, DBA's framework for MySQLcommon_schema, DBA's framework for MySQL
common_schema, DBA's framework for MySQL
 
Dealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NETDealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NET
 
Southeast Linuxfest -- MySQL User Admin Tips & Tricks
Southeast Linuxfest -- MySQL User Admin Tips & TricksSoutheast Linuxfest -- MySQL User Admin Tips & Tricks
Southeast Linuxfest -- MySQL User Admin Tips & Tricks
 
Global Azure Bootcamp 2018 - Oh no my organization went Azure
Global Azure Bootcamp 2018 - Oh no my organization went AzureGlobal Azure Bootcamp 2018 - Oh no my organization went Azure
Global Azure Bootcamp 2018 - Oh no my organization went Azure
 
sql server authentication types by moamen hany
sql server authentication types by moamen hanysql server authentication types by moamen hany
sql server authentication types by moamen hany
 
03_DP_300T00A_Secure_Environment.pptx
03_DP_300T00A_Secure_Environment.pptx03_DP_300T00A_Secure_Environment.pptx
03_DP_300T00A_Secure_Environment.pptx
 
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
 
Percona Live 2019 - MySQL Security
Percona Live 2019 - MySQL SecurityPercona Live 2019 - MySQL Security
Percona Live 2019 - MySQL Security
 
Brief introduction into SQL injection attack scenarios
Brief introduction into SQL injection attack scenariosBrief introduction into SQL injection attack scenarios
Brief introduction into SQL injection attack scenarios
 
Mysql connection
Mysql connectionMysql connection
Mysql connection
 
ProxySQL in the Cloud
ProxySQL in the CloudProxySQL in the Cloud
ProxySQL in the Cloud
 
Mysqldbatrainingsession12privilegesinmysql 170302152348
Mysqldbatrainingsession12privilegesinmysql 170302152348Mysqldbatrainingsession12privilegesinmysql 170302152348
Mysqldbatrainingsession12privilegesinmysql 170302152348
 
Upgrading to my sql 8.0
Upgrading to my sql 8.0Upgrading to my sql 8.0
Upgrading to my sql 8.0
 
SULTHAN's PHP, MySQL & wordpress
SULTHAN's PHP, MySQL & wordpressSULTHAN's PHP, MySQL & wordpress
SULTHAN's PHP, MySQL & wordpress
 
Lesson 5 security
Lesson 5 securityLesson 5 security
Lesson 5 security
 
MySQL Security
MySQL SecurityMySQL Security
MySQL Security
 

Recently uploaded

11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdf11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdfHafizMudaserAhmad
 
SOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATIONSOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATIONSneha Padhiar
 
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.pptROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.pptJohnWilliam111370
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfDrew Moseley
 
CME 397 - SURFACE ENGINEERING - UNIT 1 FULL NOTES
CME 397 - SURFACE ENGINEERING - UNIT 1 FULL NOTESCME 397 - SURFACE ENGINEERING - UNIT 1 FULL NOTES
CME 397 - SURFACE ENGINEERING - UNIT 1 FULL NOTESkarthi keyan
 
multiple access in wireless communication
multiple access in wireless communicationmultiple access in wireless communication
multiple access in wireless communicationpanditadesh123
 
Levelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument methodLevelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument methodManicka Mamallan Andavar
 
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书rnrncn29
 
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdfDEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdfAkritiPradhan2
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONjhunlian
 
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...Erbil Polytechnic University
 
Javier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier Fernández Muñoz
 
Main Memory Management in Operating System
Main Memory Management in Operating SystemMain Memory Management in Operating System
Main Memory Management in Operating SystemRashmi Bhat
 
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Romil Mishra
 
Robotics Group 10 (Control Schemes) cse.pdf
Robotics Group 10 (Control Schemes) cse.pdfRobotics Group 10 (Control Schemes) cse.pdf
Robotics Group 10 (Control Schemes) cse.pdfsahilsajad201
 
KCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosKCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosVictor Morales
 
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHTEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHSneha Padhiar
 
Katarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School CourseKatarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School Coursebim.edu.pl
 
Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsResearcher Researcher
 

Recently uploaded (20)

11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdf11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdf
 
Designing pile caps according to ACI 318-19.pptx
Designing pile caps according to ACI 318-19.pptxDesigning pile caps according to ACI 318-19.pptx
Designing pile caps according to ACI 318-19.pptx
 
SOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATIONSOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATION
 
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.pptROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdf
 
CME 397 - SURFACE ENGINEERING - UNIT 1 FULL NOTES
CME 397 - SURFACE ENGINEERING - UNIT 1 FULL NOTESCME 397 - SURFACE ENGINEERING - UNIT 1 FULL NOTES
CME 397 - SURFACE ENGINEERING - UNIT 1 FULL NOTES
 
multiple access in wireless communication
multiple access in wireless communicationmultiple access in wireless communication
multiple access in wireless communication
 
Levelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument methodLevelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument method
 
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
 
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdfDEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
 
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
 
Javier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptxJavier_Fernandez_CARS_workshop_presentation.pptx
Javier_Fernandez_CARS_workshop_presentation.pptx
 
Main Memory Management in Operating System
Main Memory Management in Operating SystemMain Memory Management in Operating System
Main Memory Management in Operating System
 
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________
 
Robotics Group 10 (Control Schemes) cse.pdf
Robotics Group 10 (Control Schemes) cse.pdfRobotics Group 10 (Control Schemes) cse.pdf
Robotics Group 10 (Control Schemes) cse.pdf
 
KCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosKCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitos
 
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHTEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
 
Katarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School CourseKatarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School Course
 
Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending Actuators
 

Mysqlsecurityoptionsjan2021

  • 1. Mysql security Presentation Of Tarbiat modares university Database security Classroom presented by: Negar Ghani Sepehr Damavandi professor: Dr.Sadegh Dorri Nogoorani First semester of 2020-2021 January 2021
  • 4. Security Guidelines ● Do not ever give anyone (except MySQL root accounts) access to the user table in the mysql system database! ● Use the GRANT and REVOKE statements to control access to MySQL. Do not grant more privileges than necessary. Never grant privileges to all hosts. ○ Try mysql -u root -h 127.0.0.1 -P 3306 ○ Use the SHOW GRANTS and REVOKE statements
  • 5. Making MySQL Secure Against Attackers ● When you connect to a MySQL server, you should use a password. The password is not transmitted as cleartext over the connection. ● All other information is transferred as text ● can be read by anyone who is able to watch the connection. ○ use MySQL's internal SSL support. ○ use SSH. ○ ssh ghani@mysql -L 3306:127.0.0.1:3306 -N ○ mysql --host=127.0.0.1 --port=3306 -u user -p
  • 6. Client Programming Security Guidelines ● Applications that access MySQL should not trust any data entered by users ● If an application generates a query like SELECT * FROM table WHERE ID=234 when a user enters the value 234, the user can enter the value 234 OR 1=1 to cause the application to generate the query SELECT * FROM table WHERE ID=234 OR 1=1. ● the server retrieves every row in the table. ● Correct way: SELECT * FROM table WHERE ID='234'.
  • 7. Access Control and Account Management
  • 8. MySQL access control involves two stages when you run a client program that connects to the server: ● Stage 1: The server accepts or rejects the connection based on your identity and whether you can verify your identity by supplying the correct password. ● Stage 2: Assuming that you can connect, the server checks each statement you issue to determine whether you have sufficient privileges to perform it. MySQL Access Control
  • 9. Account Usernames and Passwords ● MySQL stores accounts in the user table of the mysql system database. ● An account is defined in terms of a user name and the client host or hosts from which the user can connect to the server. ● To authenticate client connections for accounts that use built-in authentication methods, the server uses passwords stored in the user table.
  • 10. Privileges Provided by MySQL ● Administrative privileges enable users to manage operation of the MySQL server. These privileges are global because they are not specific to a particular database. ● Database privileges apply to a database and to all objects within it. These privileges can be granted for specific databases, or globally so that they apply to all databases. ● Privileges for database objects such as tables, indexes, views, and stored routines can be granted for specific objects within a database, for all objects of a given type within a database (for example, all tables in a database), or globally for all objects of a given type in all databases.
  • 11. Grant Tables ● The mysql system database includes several grant tables that contain information about user accounts and the privileges held by them ● user: User accounts, static global privileges, and other nonprivilege columns. ● db: Database-level privileges. ● tables_priv: Table-level privileges. ● columns_priv: Column-level privileges. ● default_roles: Default user roles. ● password_history: Password change history.
  • 12. Specifying Account Names ● MySQL account names consist of a user name and a host name, which enables creation of distinct accounts for users with the same user name who can connect from different hosts. ● Account name syntax is 'user_name'@'host_name'. ● An account name consisting only of a user name is equivalent to 'user_name'@'%'.
  • 13. Access Control, Stage 1: Connection Verification When you attempt to connect to a MySQL server, the server accepts or rejects the connection based on these conditions: ● Your identity and whether you can verify it by supplying the proper credentials. ● Whether your account is locked or unlocked.
  • 14. Access Control, Stage 2: Request Verification After the server accepts a connection, it enters Stage 2 of access control. ● For each request that you issue through the connection, the server determines what operation you want to perform, then checks whether your privileges are sufficient. ● This is where the privilege columns in the grant tables come into play. These privileges can come from any of the user, global_grants, db, tables_priv, columns_priv, or procs_priv tables.
  • 15. Adding Accounts, Assigning Privileges, and Dropping Accounts ● CREATE USER and DROP USER create and remove accounts. ● GRANT and REVOKE assign privileges to and revoke privileges from accounts. ● SHOW GRANTS displays account privilege assignments.
  • 16. Reserved Accounts During data directory initialization, MySQL creates user accounts that should be considered reserved ● 'root'@'localhost: Used for administrative purposes. This account has all privileges, is a system account, and can perform any operation. ● 'mysql.sys'@'localhost': Used as the DEFINER for sys schema objects. Use of the mysql.sys account avoids problems that occur if a DBA renames or removes the root account. This account is locked so that it cannot be used for client connections.
  • 17. Reserved Accounts ● 'mysql.session'@'localhost': Used internally by plugins to access the server. This account is locked so that it cannot be used for client connections. The account is a system account. ● 'mysql.infoschema'@'localhost': Used as the DEFINER for INFORMATION_SCHEMA views. Use of the mysql.infoschema account avoids problems that occur if a DBA renames or removes the root account. This account is locked so that it cannot be used for client connections.
  • 18. Using Roles A MySQL role is a named collection of privileges. Like user accounts, roles can have privileges granted to and revoked from them. ● CREATE ROLE and DROP ROLE create and remove roles. ● GRANT and REVOKE assign privileges to revoke privileges from user accounts and roles. ● SHOW GRANTS displays privilege and role assignments for user accounts and roles. ● SET DEFAULT ROLE specifies which account roles are active by default. ● SET ROLE changes the active roles within the current session. ● The CURRENT_ROLE() function displays the active roles within the current session.
  • 19. Account Categories System and Regular Accounts ● A user with the SYSTEM_USER privilege is a system user. ○ A system user can modify both system and regular accounts. A system account can be modified only by system users with appropriate privileges, not by regular users. ● A user without the SYSTEM_USER privilege is a regular user. ○ A regular user with appropriate privileges can modify regular accounts, but not system accounts. A regular account can be modified by both system and regular users with appropriate privileges.
  • 20. Privilege Restriction Using Partial Revokes Prior to MySQL 8.0.16, it is not possible to grant privileges that apply globally except for certain schemas. As of MySQL 8.0.16, that is possible if the partial_revokes system variable is enabled. Specifically, for users who have privileges at the global level, partial_revokes enables privileges for specific schemas to be revoked while leaving the privileges in place for other schemas.
  • 21. When Privilege Changes Take Effect If the mysqld server is started without the --skip-grant-tables option, it reads all grant table contents into memory during its startup sequence. The in-memory tables become effective for access control at that point. If you modify the grant tables indirectly using an account-management statement, the server notices these changes and loads the grant tables into memory again immediately. ● GRANT, REVOKE, SET PASSWORD, and RENAME USER.
  • 22. When Privilege Changes Take Effect If you modify the grant tables directly using statements such as INSERT, UPDATE, or DELETE the changes have no effect on privilege checking ● tell the server to reload the tables ○ FLUSH PRIVILEGES statement or mysqladmin flush-privileges or mysqladmin reload ● restart mysql
  • 23. Password Management ● Password expiration ● Password reuse policy ● Password verification-required policy ● Dual password support ● Random password generation ● Failed-login tracking and temporary account locking
  • 24. Account resource limits ● We can restrict max user connections globally or restrict certain resources user specifically ○ Number of queries per hour ○ Number of updates per hour ○ Number of times an account can connect to the server per hour ○ Number of simultaneous connections to the server
  • 26. The connection control plugins ● Two plugins : connection_control and and connection_control_failed_login attempts ● Connection_control introduces an increasing delay in server response to connection attempts after a configurable number of consecutive failed attempts ● The other is for keeping track of these audit data ● We use now available(after installation) system variables to config these plugins
  • 27. The password validation component ● Implements three levels of password checking : LOW , MEDIUM and STRONG ● Low checks the length of password (configurable) ● Medium checks also existence of numeric , lowercase , uppercase and special characters ● Strong checks that password substrings of length 4 or longer must not match words in the dictionary file ● This component implements a SQL function that assesses the strength of password according to set level and configuration
  • 28. MySQL enterprise firewall ● An application level firewall that enables dba to permit or deny SQL statements based on matching against lists of accepted statement pattens ● Firewall operation is based on a registry of profiles , a profile has these attributes : ○ Rules : defines the acceptable statements (whitelist) ○ Current operational mode : can be OFF , RECORDING , PROTECTING or DETECTING ○ Scope of applicability : indicating which client connections the profile applies to
  • 31. Backup and recovery types and operations ● Physical(raw) versus logical , Online versus offline , Local versus remote , Full versus incremental ● We can use mysqldump which is a client generating full logical remote online backups ● Mysqldump can backup all or some data bases and we can dump definitions and contents separately ● For incremental backups we should use binary logs that server generates on each restart ● For a full recovery we run the .sql file generated by mysqldump ● For incremental recovery we use mysqlbinlog to transform the binary log files into .sql files and then run them by server .
  • 32. Thank you , good luck and goodbye ● Sepehr.dmv@gmail.com for contact ● https://dev.mysql.com/doc/refman/8.0/en/ was the source of this presentation , go there for additional documents