- 快召唤伙伴们来围观吧
- 微博 QQ QQ空间 贴吧
- 文档嵌入链接
- 复制
- 微信扫一扫分享
- 已成功复制到剪贴板
Securing your database servers from external attack
您的基础结构的一个关键部分是数据库层,但是人们没有足够的关注它,因为通过错误选择的默认值来判断有多少被咬,或者只是缺乏对运行安全数据库层的理解。在本文中,我将重点介绍mysql/mariadb、postgresql和mongodb,并介绍Percona 4000多个客户在这一领域的十多年咨询中获得的外部认证、审核、加密、SSL、防火墙、复制和更多gems。
展开查看详情
1 .Securing your database servers from external attacks Alkin Tezuysal (Sr. Technical Manager,Percona) David Busby (Information Security Architect, Percona)
2 .Who we are? David Busby (@icleus) Alkin Tezuysal (@ask_dba) ● Technical Security Evangelist ● Open Source Database Evangelist ● Open Source Evangelist ● Global Database Operations Expert ● Certified Information Systems Security Professional ● Cloud Infrastructure Architect AWS ● Assistant Scout Leader ● Inspiring Technical and Strategic Leader ● Assistant Instructor computing for children ● Creative Team Builder ● Ju-Jitsu nidan and ex-Instructor ● Speaker, Mentor, and Coach ● Outdoor Enthusiast 2
3 .Agenda ● Security Common Sense ● MySQL Security ○ MySQL Passwords ○ MySQL Communication ○ MySQL Encryption ● Security Best Practices ● MySQL Security in Cloud Operators (AWS) ● Q&A 3
4 .Database Security Best Practices Apply Common Sense here
5 .Security Do’s ● Restrict access to database hosts ○ Not just to the Database service ● Create individual users, use roles MySQL 8.0 ● Set a password for all users ● Remove anonymous and obsolete users ● Use up-to-date software ● Review, update, modify security policies as needed ● Always remember to secure internal before blocking external vulnerabilities 5
6 .Password Attacks ● Weak passwords? ● Reusing old passwords? ● Leverage password validation plugin! ● Old version of MySQL those not password feature rich? ● MySQL unsha1 attack ● MySQL hash cracking OSS (john, hashcat, etc...) 6
7 .Network Operations ● All connections must use SSL (or other encryption) ○ Performance impact is minimal versus risks ● Mysql ~>= 5.7 has SSL connection by default ○ Ensure >= 5.7.13 ● Network encrypted tunnel options ○ N2N, openvpn (TLS), ssh tunnel, IPSEC, Links: https://www.percona.com/blog/2017/06/27/ssl-connections-in-mysql-5-7/ https://www.percona.com/blog/2017/09/19/proxysql-improves-mysql-sslconnections/ http://databaseblog.myname.nl/2017/05/mysql-and-ssltls-performance.html https://github.com/ntop/n2n 7
8 .MySQL Data Encryption ● Disk Volume encryption ○ BitLocker, FileVault2, LUKS, eCryptFS, Veracrypt, EBS encrypted volumes (please use KMS for encryption keys!) ● At-rest encryption for InnoDB tablespace ● At-rest encryption for binary logs Links: https://dev.mysql.com/doc/refman/5.7/en/faqs-tablespace-encryption.html https://docs.oracle.com/cd/E17952_01/mysql-5.7-en/innodb-tablespace-encryption.html https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption.html 8
9 .Connection Overhead https://tinyurl.com/y7v7jhmo https://tinyurl.com/ycldtnpk 9
10 .Security Features by MySQL MySQL variants
11 .MySQL Variants ● MySQL Community Edition 5.5 -> 8.0 ● MySQL Enterprise Edition ● Percona Server 5.5 -> 5.7 -> 8.0 ● MariaDB 5.5, 10.X ● Galera, Group Replication/InnoDB Cluster ● X Protocol/mysqlsh (33060) -> 8.0 Links: https://dev.mysql.com/doc/internals/en/x-protocol.html https://dev.mysql.com/doc/internals/en/x-protocol-authentication-authentication.html 11
12 .MySQL Security by Version ● GRANT (3.23) ● ALTER USER (5.6) ● REVOKE (3.23) ● SET PASSWORD (3.23) ● SHOW CREATE USER (5.7) ● SHOW GRANTS (3.23) ● CREATE ROLE (8.0) ● DROP USER (4.1) ● DROP ROLE (8.0) ● SHOW PRIVILEGES (4.1) ● SET ROLE (8.0) ● CREATE USER (5.0) ● SET DEFAULT ROLE (8.0) ● RENAME USER (5.0) 12
13 .Important mysql.user table < 5.5 host user password > 5.5 authentication_string > 5.6 password_expired > 5.7 account_locked password (removed) > 8.0 create_role_priv drop_role_priv 13
14 .Security Features by MySQL Version ● 5.1 - McAfee Audit plugin ● 5.7 - grep for root password on installation, ● 5.5 - pluggable authentication (MariaDB 5.2 password expiry every ‘n’ days, user accounts backport), proxy users, changes in mysql.user can be locked/unlocked, mysql_ssl_rsa_setup, table, client password warning; Enterprise mysql.user.password removed, provided Audit and PAM authentication (present super_read_only, at rest tablespace encryption again in Percona Server for MySQL and ● 8.0 - roles + mysql.user changes MariaDB Server) ● Percona Server ● 5.6 - encrypted client credentials ○ MySQL 5.5 - extended SHOW GRANTS, (mysql_config_editor), sha256_password, utility user, userstats , Audit Plugin password expiry, VALIDATE_PASSWORD_STRENGTH(), ○ MySQL 5.6 - super_read_only --random-passwords (optional random on ○ MySQL 5.7 - Vault plugin install), mysql.user password_expired column; Enterprise Firewall 14
15 .Harden your MySQL Security ● Set a password for ‘root’ ● Remove all anonymous users ● Remove ‘test’ database (gone on 8.0) ● Use mysql_secure_installation where possible (5.7) ● Install (and use!) validate_password plugin (>= 5.6) ○ There are methods which circumvent this however ... ■ ... IDENTIFIED BY ‘*ABC...’ (passing the hash, allows using a weak password) ● Ensure Path of Least Privilege ○ Stop using GRANT ALL on *.*... ○ ALL includes: FILE, CREATE_ROUTINE, SUPER, ○ Allowing write on mysql.users can allow injection of credentials that will be loaded at a later time! 15
16 .MySQL Security in the Cloud AWS Focused
17 .Pillars of AWS Security Data Protection Privilege Management Security Infrastructure Detective Controls Management 17
18 .AWS Security Best Practices ● Know shared responsibility model ● Manage AWS Accounts, IAM / MFA Users, Groups, and Roles ● EC2 Topology management ○ VPC ● RDS MySQL ○ RDS ○ AURORA ● AWS Tools ○ CloudTrail ○ CloudWatch ○ Config 18
19 .AWS Security Best Practices ● RDS ○ Shared responsibility for container service ● EC2 ○ Amazon Machine Images (AMIs) ○ Operating systems • Applications ○ Data in transit ○ Data at rest ○ Data stores ○ Credentials - Key pairs ○ Policies and configuration 19
20 .AWS Shared Responsibility Model 20
21 .AWS IAM is your friend ● Centrally manage users ● Manage security credentials ○ passwords, access keys, and permissions policies ● Beware of regions, availability zones, endpoints ● AWS API keys require strict protection ○ E.g. code pushed to Github, Bitbucket etc with keys 21
22 .In addition to IAM ● AWS Key Management Service ● AWS CloudTrail ○ Audit logging, invaluable to know what occurred and when ● AWS Maice - Data Classification Service ● AWS Trusted Advisor ○ Automated tool to get reports on security groups etc (if you spend enough) https://aws.amazon.com/premiumsupport/ta-faqs/ 22
23 .Pre-configure and harden EC2 AMI ● Disable root API access keys and secret key ● Require MFA for all IAM accounts ● Restrict access to instances from limited IP ranges using Security Groups ● Password protect the .pem file on user machines ● Delete keys from the authorized_keys file on your instances when someone leaves your organization or no longer requires access ● Rotate credentials (DB, Access Keys) ● Regularly run least privilege checks using IAM user Access Advisor and IAM user Last Used Access Keys ● Use bastion hosts to enforce control and visibility 23
24 .Utilizing AWS VPC 24
25 .MySQL Data in Transit ● Web Layer ○ Encrypt data in transit using IPSec ESP and/or SSL/TLS ○ Authenticate data integrity using IPSec ESP/AH, and/or SSL/TLS ○ Use IPSec with IKE with pre-shared keys ● Database Layer ○ SSL/TLS is currently supported for connections to Amazon RDS MySQL ○ AWS provides a single self-signed certificate associated with the MySQL 25
26 .AWS Trusted Advisory Tool Checks ● Limited access to common administrative ports to only a small subset of addresses. This includes ports 22 (SSH), 23 (Telnet) 3389 (RDP), and 5500 (VNC). ● Limited access to common database ports. This includes ports 1433 (MSSQL Server), 1434 (MSSQL Monitor), 3306 (MySQL), Oracle (1521) and 5432 (PostgreSQL). ● IAM is configured to help ensure secure access control of AWS resources. ● Multi-factor authentication (MFA) token is enabled to provide two-factor authentication for the root AWS account. 26
27 .References and Credits References: Credits: ● AWS Security Best Practices ● Colin Charles ● AIM Best Practices ● Janos Ruzso ● Amazon Virtual Private Cloud ● Tibor Korocz Connectivity Options ● Jervin Real ● VPC Networking Components ● Daniel van Eeden ● SSL Connections in MySQL 5.7 ● ProxySQL Improves MySQL SSL Connections ● Everything about MySQL Users and Logins You Didn’t Know and Were Afraid to Ask 27
28 .Questions and Answer
29 .Thank You Sponsors!! 29