MySQL Security Risk?

Hi All,

I'd like to install MySQL and PHP onto my server that's hosted in a POP on
the internet. No i have no firewall on tha machine, but i only have the
SSH, FTP (chrooted, no real users) and APACHE services running. I trust
these services (rightly or wrongly).

Now MySQL has been around for ages and i was wondering if it is secure
enough to run on an open server? I understand that you can limit access to
users at specific IP addresses, but is this service still vunerable to
attack?

I'd greatly appreciate your views.

Neil

On Mon, 23 Aug 2004 21:00:44 +0000, Neil wrote:

Hi Neil,

> Hi All,
>
> I'd like to install MySQL and PHP onto my server that's hosted in a POP
> on the internet. No i have no firewall on tha machine, but i only have
> the SSH, FTP (chrooted, no real users) and APACHE services running. I
> trust these services (rightly or wrongly).
>
> Now MySQL has been around for ages and i was wondering if it is secure
> enough to run on an open server? I understand that you can limit access
> to users at specific IP addresses, but is this service still vunerable
> to attack?
>
>
If you want to use the MySQL server only with the Apache/PHP on the box
and don't need any database connections from other hosts you can
completely disable the MySQL networking features so that the databases can
only be accessed from the box that runs the MySQL server.

> I'd greatly appreciate your views.

I have some MySQL/PHP based web applications running on a Debian box for
about two years now and until now nobody who tried to attack it was
successful until now, so IMHO MySQL and PHP are safe enough to use if you
properly configurre them ;-)


> Neil

Peter

> have the SSH, FTP (chrooted, no real users) and APACHE services
> running. I trust these services (rightly or wrongly).

Your entire system is only as secure as the weakest link. If you keep all
your server software up to date, you will have no problem.

--
Jem Berkes
http://www.sysdesign.ca/

Neil wrote:
> Hi All,
>
> I'd like to install MySQL and PHP onto my server that's hosted in a POP on
> the internet. No i have no firewall on tha machine, but i only have the
> SSH, FTP (chrooted, no real users) and APACHE services running. I trust
> these services (rightly or wrongly).
>
> Now MySQL has been around for ages and i was wondering if it is secure
> enough to run on an open server? I understand that you can limit access to
> users at specific IP addresses, but is this service still vunerable to
> attack?
>
> I'd greatly appreciate your views.
>
> Neil
>
>
>

In my penetration tests with nessus and some exploits it looks pretty
strong. You should be more worried about Apache, that it's much more
problematic. At least it's my point of view.


--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"

In article <eGBWc.104990$r4.2688081@news-reader.eresmas.com>, Jose Maria Lopez Hernandez wrote:
> Neil wrote:
>> Hi All,
>>
>> I'd like to install MySQL and PHP onto my server that's hosted in a POP on
>> the internet. No i have no firewall on tha machine, but i only have the
>> SSH, FTP (chrooted, no real users) and APACHE services running. I trust
>> these services (rightly or wrongly).
>>
>> Now MySQL has been around for ages and i was wondering if it is secure
>> enough to run on an open server? I understand that you can limit access to
>> users at specific IP addresses, but is this service still vunerable to
>> attack?
>>
>> I'd greatly appreciate your views.
>>
>> Neil
>>
>>
>>
>
> In my penetration tests with nessus and some exploits it looks pretty
> strong. You should be more worried about Apache, that it's much more
> problematic. At least it's my point of view.
>
>

MySQL has had some pretty serious security problems in the past (I
seem to remember one where the password checking code used the length of
the supplied password to control the check...)

I would use iptables to block external access to port 3306 and if any
external apps need to access it you can setup a ssh tunnel from the remote
machine so that the connection is protected.

Brian

--
---[Office 73.3F]--[Fridge 38.6F]---[Fozzy 93.5F]--[Coaster 73.2F]---
Linux Software Developer http://www.brianlane.com

> I would use iptables to block external access to port 3306 and if any
> external apps need to access it you can setup a ssh tunnel from the remote
> machine so that the connection is protected.
>
> Brian
>

How woul you create a ssh tunnel?
With stunnel?
Using a VPN?

Nuno Paquete <nmp@ispgaya.pt> writes:

>> I would use iptables to block external access to port 3306 and if any
>> external apps need to access it you can setup a ssh tunnel from the remote
>> machine so that the connection is protected.
>>
>
> How woul you create a ssh tunnel?
> With stunnel?
> Using a VPN?

Most people would use ssh to create an ssh tunnel.

~Tim
--
18:47:25 up 14 days, 2:22, 3 users, load average: 0.65, 0.74, 0.47
piglet@stirfried.vegetable.org.uk |And the wind / And the rain
http://spodzone.org.uk/cesspit/ |Falls around

Quoth Nuno Paquete <nmp@ispgaya.pt>:
> How woul you create a ssh tunnel?
> With stunnel?
> Using a VPN?

No, I'd use ssh.
--
output = reverse("moc.enworbbc" "@" "enworbbc")
http://cbbrowne.com/info/nonrdbms.html
Anyone who can't laugh at himself is not taking life seriously enough.
-- Larry Wall

How about locking down mysql to localhost then running PhpMyAdmin

(Allowing clients to use a web interface which connects to locahost )


Brian C. Lane wrote:

> In article <eGBWc.104990$r4.2688081@news-reader.eresmas.com>, Jose Maria Lopez Hernandez wrote:
>
>>Neil wrote:
>>
>>>Hi All,
>>>
>>>I'd like to install MySQL and PHP onto my server that's hosted in a POP on
>>>the internet. No i have no firewall on tha machine, but i only have the
>>>SSH, FTP (chrooted, no real users) and APACHE services running. I trust
>>>these services (rightly or wrongly).
>>>
>>>Now MySQL has been around for ages and i was wondering if it is secure
>>>enough to run on an open server? I understand that you can limit access to
>>>users at specific IP addresses, but is this service still vunerable to
>>>attack?
>>>
>>>I'd greatly appreciate your views.
>>>
>>>Neil
>>>
>>>
>>>
>>
>>In my penetration tests with nessus and some exploits it looks pretty
>>strong. You should be more worried about Apache, that it's much more
>>problematic. At least it's my point of view.
>>
>>
>
>
> MySQL has had some pretty serious security problems in the past (I
> seem to remember one where the password checking code used the length of
> the supplied password to control the check...)
>
> I would use iptables to block external access to port 3306 and if any
> external apps need to access it you can setup a ssh tunnel from the remote
> machine so that the connection is protected.
>
> Brian
>

Neil wrote:
Try runnign mysql bound to locahost

then setup phpMyAdmin so when each use is setup /admin or someting
referes to their own phpMyAdmin that allows them to connect only to
their own database.



The webserver on localmachine queries mysql and returns results to php
perl servlet within the server.This means mysql only runs locally hence
keeps out the globe



> Hi All,
>
> I'd like to install MySQL and PHP onto my server that's hosted in a POP on
> the internet. No i have no firewall on tha machine, but i only have the
> SSH, FTP (chrooted, no real users) and APACHE services running. I trust
> these services (rightly or wrongly).
>
> Now MySQL has been around for ages and i was wondering if it is secure
> enough to run on an open server? I understand that you can limit access to
> users at specific IP addresses, but is this service still vunerable to
> attack?
>
> I'd greatly appreciate your views.
>
> Neil
>
>
>