Securing your database servers from external attack

您的基础结构的一个关键部分是数据库层,但是人们没有足够的关注它,因为通过错误选择的默认值来判断有多少被咬,或者只是缺乏对运行安全数据库层的理解。在本文中,我将重点介绍mysql/mariadb、postgresql和mongodb,并介绍Percona 4000多个客户在这一领域的十多年咨询中获得的外部认证、审核、加密、SSL、防火墙、复制和更多gems。

展开查看详情

1.Securing your database servers from external attacks Alkin Tezuysal (Sr. Technical Manager,Percona) David Busby (Information Security Architect, Percona)

2.Who we are? David Busby (@icleus) Alkin Tezuysal (@ask_dba) ● Technical Security Evangelist ● Open Source Database Evangelist ● Open Source Evangelist ● Global Database Operations Expert ● Certified Information Systems Security Professional ● Cloud Infrastructure Architect AWS ● Assistant Scout Leader ● Inspiring Technical and Strategic Leader ● Assistant Instructor computing for children ● Creative Team Builder ● Ju-Jitsu nidan and ex-Instructor ● Speaker, Mentor, and Coach ● Outdoor Enthusiast 2

3.Agenda ● Security Common Sense ● MySQL Security ○ MySQL Passwords ○ MySQL Communication ○ MySQL Encryption ● Security Best Practices ● MySQL Security in Cloud Operators (AWS) ● Q&A 3

4.Database Security Best Practices Apply Common Sense here

5.Security Do’s ● Restrict access to database hosts ○ Not just to the Database service ● Create individual users, use roles MySQL 8.0 ● Set a password for all users ● Remove anonymous and obsolete users ● Use up-to-date software ● Review, update, modify security policies as needed ● Always remember to secure internal before blocking external vulnerabilities 5

6.Password Attacks ● Weak passwords? ● Reusing old passwords? ● Leverage password validation plugin! ● Old version of MySQL those not password feature rich? ● MySQL unsha1 attack ● MySQL hash cracking OSS (john, hashcat, etc...) 6

7.Network Operations ● All connections must use SSL (or other encryption) ○ Performance impact is minimal versus risks ● Mysql ~>= 5.7 has SSL connection by default ○ Ensure >= 5.7.13 ● Network encrypted tunnel options ○ N2N, openvpn (TLS), ssh tunnel, IPSEC, Links: https://www.percona.com/blog/2017/06/27/ssl-connections-in-mysql-5-7/ https://www.percona.com/blog/2017/09/19/proxysql-improves-mysql-sslconnections/ http://databaseblog.myname.nl/2017/05/mysql-and-ssltls-performance.html https://github.com/ntop/n2n 7

8.MySQL Data Encryption ● Disk Volume encryption ○ BitLocker, FileVault2, LUKS, eCryptFS, Veracrypt, EBS encrypted volumes (please use KMS for encryption keys!) ● At-rest encryption for InnoDB tablespace ● At-rest encryption for binary logs Links: https://dev.mysql.com/doc/refman/5.7/en/faqs-tablespace-encryption.html https://docs.oracle.com/cd/E17952_01/mysql-5.7-en/innodb-tablespace-encryption.html https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption.html 8

9.Connection Overhead https://tinyurl.com/y7v7jhmo https://tinyurl.com/ycldtnpk 9

10.Security Features by MySQL MySQL variants

11.MySQL Variants ● MySQL Community Edition 5.5 -> 8.0 ● MySQL Enterprise Edition ● Percona Server 5.5 -> 5.7 -> 8.0 ● MariaDB 5.5, 10.X ● Galera, Group Replication/InnoDB Cluster ● X Protocol/mysqlsh (33060) -> 8.0 Links: https://dev.mysql.com/doc/internals/en/x-protocol.html https://dev.mysql.com/doc/internals/en/x-protocol-authentication-authentication.html 11

12.MySQL Security by Version ● GRANT (3.23) ● ALTER USER (5.6) ● REVOKE (3.23) ● SET PASSWORD (3.23) ● SHOW CREATE USER (5.7) ● SHOW GRANTS (3.23) ● CREATE ROLE (8.0) ● DROP USER (4.1) ● DROP ROLE (8.0) ● SHOW PRIVILEGES (4.1) ● SET ROLE (8.0) ● CREATE USER (5.0) ● SET DEFAULT ROLE (8.0) ● RENAME USER (5.0) 12

13.Important mysql.user table < 5.5 host user password > 5.5 authentication_string > 5.6 password_expired > 5.7 account_locked password (removed) > 8.0 create_role_priv drop_role_priv 13

14.Security Features by MySQL Version ● 5.1 - McAfee Audit plugin ● 5.7 - grep for root password on installation, ● 5.5 - pluggable authentication (MariaDB 5.2 password expiry every ‘n’ days, user accounts backport), proxy users, changes in mysql.user can be locked/unlocked, mysql_ssl_rsa_setup, table, client password warning; Enterprise mysql.user.password removed, provided Audit and PAM authentication (present super_read_only, at rest tablespace encryption again in Percona Server for MySQL and ● 8.0 - roles + mysql.user changes MariaDB Server) ● Percona Server ● 5.6 - encrypted client credentials ○ MySQL 5.5 - extended SHOW GRANTS, (mysql_config_editor), sha256_password, utility user, userstats , Audit Plugin password expiry, VALIDATE_PASSWORD_STRENGTH(), ○ MySQL 5.6 - super_read_only --random-passwords (optional random on ○ MySQL 5.7 - Vault plugin install), mysql.user password_expired column; Enterprise Firewall 14

15.Harden your MySQL Security ● Set a password for ‘root’ ● Remove all anonymous users ● Remove ‘test’ database (gone on 8.0) ● Use mysql_secure_installation where possible (5.7) ● Install (and use!) validate_password plugin (>= 5.6) ○ There are methods which circumvent this however ... ■ ... IDENTIFIED BY ‘*ABC...’ (passing the hash, allows using a weak password) ● Ensure Path of Least Privilege ○ Stop using GRANT ALL on *.*... ○ ALL includes: FILE, CREATE_ROUTINE, SUPER, ○ Allowing write on mysql.users can allow injection of credentials that will be loaded at a later time! 15

16.MySQL Security in the Cloud AWS Focused

17.Pillars of AWS Security Data Protection Privilege Management Security Infrastructure Detective Controls Management 17

18.AWS Security Best Practices ● Know shared responsibility model ● Manage AWS Accounts, IAM / MFA Users, Groups, and Roles ● EC2 Topology management ○ VPC ● RDS MySQL ○ RDS ○ AURORA ● AWS Tools ○ CloudTrail ○ CloudWatch ○ Config 18

19.AWS Security Best Practices ● RDS ○ Shared responsibility for container service ● EC2 ○ Amazon Machine Images (AMIs) ○ Operating systems • Applications ○ Data in transit ○ Data at rest ○ Data stores ○ Credentials - Key pairs ○ Policies and configuration 19

20.AWS Shared Responsibility Model 20

21.AWS IAM is your friend ● Centrally manage users ● Manage security credentials ○ passwords, access keys, and permissions policies ● Beware of regions, availability zones, endpoints ● AWS API keys require strict protection ○ E.g. code pushed to Github, Bitbucket etc with keys 21

22.In addition to IAM ● AWS Key Management Service ● AWS CloudTrail ○ Audit logging, invaluable to know what occurred and when ● AWS Maice - Data Classification Service ● AWS Trusted Advisor ○ Automated tool to get reports on security groups etc (if you spend enough) https://aws.amazon.com/premiumsupport/ta-faqs/ 22

23.Pre-configure and harden EC2 AMI ● Disable root API access keys and secret key ● Require MFA for all IAM accounts ● Restrict access to instances from limited IP ranges using Security Groups ● Password protect the .pem file on user machines ● Delete keys from the authorized_keys file on your instances when someone leaves your organization or no longer requires access ● Rotate credentials (DB, Access Keys) ● Regularly run least privilege checks using IAM user Access Advisor and IAM user Last Used Access Keys ● Use bastion hosts to enforce control and visibility 23

24.Utilizing AWS VPC 24

25.MySQL Data in Transit ● Web Layer ○ Encrypt data in transit using IPSec ESP and/or SSL/TLS ○ Authenticate data integrity using IPSec ESP/AH, and/or SSL/TLS ○ Use IPSec with IKE with pre-shared keys ● Database Layer ○ SSL/TLS is currently supported for connections to Amazon RDS MySQL ○ AWS provides a single self-signed certificate associated with the MySQL 25

26.AWS Trusted Advisory Tool Checks ● Limited access to common administrative ports to only a small subset of addresses. This includes ports 22 (SSH), 23 (Telnet) 3389 (RDP), and 5500 (VNC). ● Limited access to common database ports. This includes ports 1433 (MSSQL Server), 1434 (MSSQL Monitor), 3306 (MySQL), Oracle (1521) and 5432 (PostgreSQL). ● IAM is configured to help ensure secure access control of AWS resources. ● Multi-factor authentication (MFA) token is enabled to provide two-factor authentication for the root AWS account. 26

27.References and Credits References: Credits: ● AWS Security Best Practices ● Colin Charles ● AIM Best Practices ● Janos Ruzso ● Amazon Virtual Private Cloud ● Tibor Korocz Connectivity Options ● Jervin Real ● VPC Networking Components ● Daniel van Eeden ● SSL Connections in MySQL 5.7 ● ProxySQL Improves MySQL SSL Connections ● Everything about MySQL Users and Logins You Didn’t Know and Were Afraid to Ask 27

28.Questions and Answer

29.Thank You Sponsors!! 29