A couple of  weeks ago I got an unhappy email from my web hosting provider telling me I was in violation of their Terms of Service. Of course I called them immediately and was told that there was a “phishing page” hidden in one of my web directories. My blog had been hacked, so I immediately started doing some house cleaning.

After the initial once over and deletion of any suspicious files I went looking for advice on how to “harden my installation”. Here’s what I found:

• Wordpress.org Codex Hardening Wordpress - Lots of good information here on hardening Wordpress including a general overview of Wordpress security considerations.
• …

This blog post was inspired by a recent report of a Database Analyst at American Express stealing Credit Card data.

It’s amazing how many companies still follow a mainly “perimeter security” approach when it comes to controlling access to sensitive information—their focus is on network security using firewalls, advanced authentication options, and so on. Even with such measures, it’s very common to setup strong barriers to the outside world but very little by way of internal limits; most internal people have some level of access to servers that store and process sensitive data.

Well, there’s nothing wrong with pre-screening your stuff, or having access to the sensitive information, or setting up advanced …

I would like to start off by excusing myself for having had a broken link on http://www.securich.com/downloads.html when I published the latest blog post about Securich.

The tool is downloadable from there and anyone can use it for free in accordance to GPLv2.

I wanted to throw out tutorial about how to install it and use it (Note this tutorial is for version securich version 0.1.2):

This is sort of a self-documenting post, and a self-support group about ill-behaved tomcat apps. Sometimes, you have multiple nodes accesing your MySQL server (or any kind of server, for that matter) concurrently. Eventually, software in one or more of these nodes might do nasty things (you know who you are buddy:)) MySQL provides a … Continue reading iptables trick to limit concurrent tcp connections →

Related posts:

1. Using MySQL Proxy to benchmark query performance By transparently sitting between client and server on each request,...

YARPP powered by AdBistroPowered by

This is the 150th edition of Log Buffer, the weekly review of database blogs. Someone accidentally left Dave Edwards‘ cage unlocked, and he escaped, thus leaving me with the pleasurable duty of compiling the 150th weekly Log Buffer.

Many people other than Dave are finding release this week. Giuseppe Maxia explains some details of MySQL’s New Release Model. Andrew Morgan announces a New MySQL Cluster Maintenance Release. Aleksandr Kuzminsky of the MySQL Performance …

Lately there has been quite some talk about security on MySQL, and I've decided to GPL a package I wrote, implmenting Roles on MySQL. This technology has been available on other databases for quite some time, but hasn't quite yet made it to MySQL's feature list and apart from this tool, the only solution I know of is google's patches for MySQL 5.0.

Lenz Grimmer recently wrote two blogs about password security on MySQL. Both are worth reading in detail. You’ll find them in Basic MySQL Security: Providing passwords on the command line and More on MySQL password security.

Although I wrote a comment on the latter one, there is one point I thought was worth its own blog.

GRANT … IDENTIFIED BY PASSWORD…

You can work around having to specify the password in the open following these steps:

1. Use a local or non-public instance (for example using MySQL Sandbox) to define the user / password combination you need:

   CREATE USER 'name'@'host' IDENTIFIED BY 'secret';

2. Use SHOW GRANTS to …

My last post about Basic MySQL Security generated a number of interesting comments, thanks for all your feedback! I'd like to address a few points that were mentioned there:

While the problem seems to be a non-issue on Linux, Keith Murphy stated that the password might still be visible on other Unix operating systems (e.g. Solaris), as described in Bug#11952 in our bug database. According to the bug report, it depends on the implementation of "ps" — there seems to be a BSD variant (/usr/ucb/ps) as well as a SysV implementation (/usr/bin/ps).

…

Reading through the comments in Ronald's second post about More Basic MySQL Security, I noticed that there seems to be a misunderstanding about the implications of providing passwords to the mysql command line client via the "-p" option:

Jaka Jančar wrote:

What’s more insecure is passing password as an argument to MySQL, like you’ve written (-p[password]), since that can really be seen by anyone.

Shlomi Noach wrote:

While Linux security is often considered good, an astonishing weakness is “ps aux”, where every user can see …

Augusto Bott and myself had a wonderful time at April’s MySQL Conference in Santa Clara, California, and also at the coinciding MySQL Camp and Percona Performance Conference.

We presented two sessions at the conference, and we wanted to share the slides with you. The first one is called Proactive Operational Measures.

The second one is called 8 Simple Rules to Design Secure Applications.

Augusto and I promised that we would make the slides available online, so we’re sorry for the slight delay in getting them published. Enjoy!