Quantcast
Channel: MySQL Forums - Security
Viewing all 306 articles
Browse latest View live

strange IP address in Windows 7 event log of 5.9.16 server (2 replies)

August 7, 2014, 1:37 pm
$
0
0
I moved a virtual machine from the intranet to the internet after testing it in the intranet. I'm not assuming that MySQL server has is using the hostname somewhere and binds to it, IP wise. This said before. Now in the Windows Eventlog, after the machine was brought to the Internet, I found this obscure Event message:

Die Beschreibung für die Ereignis-ID "100" aus der Quelle "MySQL" wurde nicht gefunden. Entweder ist die Komponente, die dieses Ereignis auslöst, nicht auf dem lokalen Computer installiert, oder die Installation ist beschädigt. Sie können die Komponente auf dem lokalen Computer installieren oder reparieren.

Falls das Ereignis auf einem anderen Computer aufgetreten ist, mussten die Anzeigeinformationen mit dem Ereignis gespeichert werden.

Die folgenden Informationen wurden mit dem Ereignis gespeichert:

IP address '61.180.12.345' could not be resolved: Der angegebene Host ist unbekannt.

I changed the IP address here in this post, but tracerouting it lead to a site maybe in China, don't know. The last addresses did not resolve in the traceroute. Very strange.

I wonder what MySQL has got to do with this IP address?

--
Christoph
Search

5.6.19 instance crash when you change password with validate_password plug-in on windows (3 replies)

August 7, 2014, 1:30 pm
$
0
0
Hi,

I use 5.6.19 on windows 2008R2 SP1, 64 bits with validate_password plugin.
Process mysqld.exe fault and crash when i try to change password :
UPDATE mysql.user SET Password = PASSWORD(@MDP) WHERE User = 'root';

On Application windows Logs :
"Faulting application path: D:\MySQL\MQL56\bin\mysqld.exe
Faulting module path: D:\MySQL\MQL56\bin\mysqld.exe"

Update password work when i disable validate_password plugin.
#plugin-load=validate_password.dll
#validate_password_dictionary_file=D:/MySQL/admin/generic/forbidden_password.txt
#validate_password_mixed_case_count=1
#validate_password_special_char_count=1
#validate_password_number_count=1
#validate_password_length=10
#validate_password_policy=strong

The plugin_library_version is 1.4.

How to use password validation with 5.6.19 version ?

Regards,
Fred

Problem with password as a parameter to a script (1 reply)

August 7, 2014, 1:33 pm
$
0
0
Hi,

I use MySQL 5.6.19 on Windows 2012 with validate_password plugin.
I need to run this script (nammed security.sql) :

>>> security.sql
UPDATE mysql.user SET Password = PASSWORD(@MDP) WHERE User = 'root';
[...]
FLUSH PRIVILEGES;
<

I call the script with this command :
mysql -uroot -e "set @MDP='%PWD%'; source security.sql;" --port=%PORT% -h localhost

>>> As a result Instance crash (service is stopped).

I found on the Application windows Logs :
"Faulting application path: D:\MySQL\MQL56\bin\mysqld.exe"

As a workaround, i change the password externaly :
mysql -u root -e "UPDATE mysql.user SET Password = PASSWORD('%PWD%') WHERE User = 'root'; source security.sql;" --port=%PORT% -h localhost

>>> i remove update password from security.sql
[...]
FLUSH PRIVILEGES;
<

So, I have to questions :
-> Is my syntax correct ?
-> Can I consider this as a BUG ? (instance crash when i run a command)

Regards,
Frederic Eveilleau

PS : My.ini contains :
#*** password security***
plugin-load=validate_password.dll
validate_password_dictionary_file=C:/forbidden_password.txt
validate_password_mixed_case_count=1
validate_password_special_char_count=1
validate_password_number_count=1
validate_password_length=10
validate_password_policy=strong

verifyServerCertificate - is not working (no replies)

July 12, 2014, 11:03 am
$
0
0
Hello Everyone,

I am trying to verify the subject name of the server certificate and I have only the CA Certificate of the server.

equivalent of --ssl-verify-server-cert

When I specify verifyServerCertificate=true in the following connection string : Irrespective of the subject name in the server certificate, its connecting to database. Can some one tell me how should I change this to verify the subject name ? :(

jdbc:mysql://jithethner.sin.hostname:3306/INFORMATION_SCHEMA?socketTimeout=10000&connectTimeout=10000&useSSL=true&verifyServerCertificate=true&trustCertificateKeyStoreUrl=file:/tmp/cacert.jks&trustCertificateKeyStoreType=JKS&trustCertificateKeyStorePassword=keystorepwd, properties: {user=username, password=password}

I gave clientCertificateKeyStore* instead of trustCertificateKeyStore*, because in the description of verifyServerCertificate, it said use clientCertificateKeyStore* properties. Then its showed some error like TrustManagerFactorImpl not initialized. Thank you for any help !!!

LDAP USER AUNTHENTICATION IN MYSQL (2 replies)

November 26, 2014, 4:08 am
$
0
0
Dear friends,

Please tell me the process how to install pam authentication plugins in community edition of mysql or tell me how to authenticate ldap users in mysql

Regards,
Suman

Issue in MySql SSl connection (no replies)

July 22, 2014, 3:10 am
$
0
0
I have enabled SSL on mysql 5.5.34 [CentOS release 6.4 (Final)]

we have two users for linux : "root" and "admin"

and 2 users for mysql : "root" and "mysqladmin"

I also have created one mysql user called sslclient using below command:

GRANT ALL PRIVILEGES ON *.* TO sslclient@'%' REQUIRE SSL;
GRANT ALL PRIVILEGES ON *.* TO sslclient@'localhost' REQUIRE SSL;

I had to do "chown mysql.mysql /etc/mysqlssl/*" and "chmod 440 /etc/mysqlssl/*" to enable SSL

Made sure that SSL is enabled by doing "show variables like '%ssl%'"

+---------------+-------------------------------+
| Variable_name | Value |
+---------------+-------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/mysqlssl/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /etc/mysqlssl/server-cert.pem |
| ssl_cipher | |
| ssl_key | /etc/mysqlssl/server-key.pem |
+---------------+-------------------------------+

We are facing two issues:

1) When I try to connect mysql using (from linux "admin" user)

mysql -u sslclient --ssl-ca=/etc/mysqlssl/ca-cert.pem

gives me error : "ERROR 2026 (HY000): SSL connection error: Failed to set ciphers to use"



2) I can connect mysql (from linux "root" user) only using mysql "root" user, not using any other user say "mysqladmin" or "sslclient", i.e.

"mysql -u mysqladmin" gives me below error

"Access denied for user 'mysqladmin'@'localhost' (using password: YES)"



Would there be any relation between both the issues?

What could be the cause and/or solution for above issue?

global variable (2 replies)

August 7, 2014, 1:08 pm
$
0
0
Hello, Im a newbie,
Im haveing an issue with a query, Here is my exacty syntax

select * from db where user_login = %current_user_id%

and this isnt working.

I was told
"if you would like to user current user's ID in the query (eg, to show records

from some table only for the currnt user) you can use the placeholder

%CURRENT_USER_ID% it will be replaced with the actual ID value of the

currently logged in user at runtime moment.

so, select * from db where user_login = %CURRENT_USER_ID% will be sent as

select * from db where user_login = 1
(if current user has an id of 1)"

but its not working

Im using phpmyadmin and running the syntax in there

Please help,,

Restricting query access to database information (no replies)

August 12, 2014, 6:46 am
$
0
0
I am developing a Java Server Faces (JSF) application which uses MySQL v6.0 (Community). I only want select queries to be available from the application itself. I do not want the DB administrator to be able to view table data or to be able to make any queries manually. Is there any way to achieve this? I was thinking of restricting privileges but then this might affect the actual application and not allow data to be displayed.

Just to be clear, I would like the application to render data normally but I do not want the administrator to be able to make queries manually from the command prompt or from any other interface outside the application security realm. Please let me know if this makes sense or if I need to provide any further information. Thanks in advance.
Search

Another User Permission (no replies)

August 19, 2014, 1:44 pm
$
0
0
Hi All,

i created a DB project with OOBase and connected to a MySQL back-end. I recall when I first started to use it, that I was able to login using same username and password both as a system 'user' and/or 'superuser' (and that's fine so far). Moreover, I was able to work (edit/modify) directly on tables only if I logged in as a sytem 'superuser'.

Now, after many data back ups, through export/import via MySQL WorkBench, it seems that I have lost that privilege; that is, I can modify tables also if I am logged in a system 'user'.

So, I have been playing around with MySQL WorkBench to add a new 'test' user and grant them only the right to add data, through forms, without being able to work on tables directly (avoiding malicious hands altering the table definitions and messing everything up).

I managed to add a user, through MySQL WOrkbench.Edit Table Data, by editing the 'mysql schema' at user row, and granting SELECT. I tried it out and, it appears that the new 'test' user has access to everything, (no mattter what privileges I select/unselect to the specific user through the MySQL WorkBench>Manage Secutiry option.

I would like the 'test' user to be able to work with forms to add/view data, but not actually being able to edit tables and/or queries.

I would have loved to attach a cpl of screenshots of the relative windows but it seems that I cannot post atachmente in this forum.

Any suggestions would be highly appreciated.

Regards,

OOBase 4.1
MariaDB 5.5.37
MySQL Workbench GPL 5.2
on Slackware 14.1

SSL on Windows (1 reply)

September 9, 2014, 11:48 am
$
0
0
Hi,

Trying to set up SSL connection on Windows Environment.

mysql Vars showing as :
have_openssl DISABLED
have_ssl DISBALED
ssl_ca ca-cert.pem
ssl_capath
ssl_cert server-cert.pem
ssl_cipher
ssl_key server-key.pem

Are ssl_capath, ssl_cipher manadatory ?
The openssl files have been verified successfuly.


I pasted the cert files into the 'C:\Program Files\MySQL\MySQL Server 5.5' directory (where the ini file is also). Is it OK to do this?

my.ini file looks like :

[mysqld]
log-bin=mysql-bin
server-id=1

ssl-ca=ca-cert.pem
ssl-cert=server-cert.pem
ssl-key=server-key.pem

What else do I need to do ?

suggestions for online database w/ user contact info (no replies)

September 16, 2014, 7:03 am
$
0
0
Need some advice on having a web-accessible database with user contact information....


So, I need to develop a database that can allow users to enter their contact info online and then store that information in the database (its basically a product registration system).

My concern is this: what is the best way to secure this database or keep it secure. Unfortunately, I have to host this on our website, which is a shared hosting account with a major web host ( we don't have the on-site computing resources to host our own database server or I would).

What would people recommend to help protect against hacking, and unauthorized access? I had considered encrypting the entire database (or rather, all data in the database itself--not neccesarily the database structure). Any other ideas?

(Sorry if this question doesn't fit here--move it whereever it should be located--I figured it was somewhat security related.)

Connect Stunnel client to SSL MySql Server (without Stunnel Server) (1 reply)

September 18, 2014, 6:13 am
$
0
0
I tried to connect my workstation (with an installed stunnel client) to a MySql Server SSL enabled, but MySql Server abort this connection.

The standard mysql ssl connection works:

mysql -h <server_name> -u <user_name> -p --ssl-key=<path>/client-key.pem --ssl-cert=<path>/client-cert.pem

Stunnel connection doesn't work:

mysql -h 127.0.0.1 -u <user_name> -P 3307 -p --ssl-key=<path>/client-key.pem --ssl-cert=<path>/client-cert.pem

with stunnel.conf:
-------------------------------------
client = yes

pid = /etc/stunnel/stunnel.pid

debug = 7
output = /var/log/stunnel/stunnel.log

TIMEOUTclose=10
sslVersion = all
#options = NO_SSLv2

[mysqls]
accept = 127.0.0.1:3307
connect = <server>:3306
----------------------------------

(I tried with or without "options = NO_SSLv2")

I ask for your help to find what is wrong.

Thanks

securing transactions and connections via SSL (no replies)

October 2, 2014, 1:13 pm
$
0
0
Can anyone provide any good articles or books on establishing secure MYSQL connections (for querying, connections, etc) over SSL? I'm experienced with mysql but am new to how to utilize SSL with mysql.

Is SSL recommended for this setup? (no replies)

October 10, 2014, 11:32 am
$
0
0
I host my own personal website. I also host my own DNS, email and MySQL server.

The server runs FreeBSD 10 using jails. I have BIND9, Apache, Postfix/Dovecot and MySQL server in their own jail.

Each jail has its own IP address. I setup four network aliases in my rc.conf file to give me a total of four + one main different IP addresses on one adapter.

Since Wordpress/phpMyAdmin/Roundcube communicate to the MySQL server through this method of network aliases, should I be concerned about using SSL even though it's on a local network?

Or is this method similar to a MySQL server communicating to Wordpress on the loop back adapter?

!!! Problem with grant PROXY USER - mysql 5.6.17 !!! (4 replies)

December 1, 2014, 1:28 am
$
0
0
Hi,

I have problem with grant user:

when I run
GRANT PROXY ON 'proftpd'@'localhost' TO ''@'';
I have error ERROR 1698 (28000): Access denied for user 'root'@'xxx-xxx02.xx.xxxx.xx'

show grant for user root
+--------------------------------------------------------------------------------------------------------------------------------+
| Grants for root@% |
+--------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY PASSWORD '*D6AC92A952B1901A77164FE7577E9C46FC740A0C' WITH GRANT OPTION |
+--------------------------------------------------------------------------------------------------------------------------------+

mysql version 5.6.17-log

Help
Search

Windows file security and Select Into Outfile (no replies)

December 18, 2014, 7:43 am
$
0
0
I am working in a highly controlled Windows server environment in a physically secure facility with no printing/saving to thumb drive, etc. I need to be able to write outfiles to a special folder on the Windows server that only I can have access to. Creating a MySQL user is not permitted so all writes have to be write/read under my username (xyz). Is there anyway to force MySQL to write outfile or load data infile using a specific domain username?

Cannot make mysql client read the password form .mylogin.cnf (4 replies)

April 22, 2015, 11:16 pm
$
0
0
Hello,

I'm trying to make mysql client on linux connect to a mysql server without requiring the password to be given interactively. Steps taken:

1) First create a mylogin.cnf file

$ mysql_config_editor set --user=<user> --password --host=<host>
Enter password:

2) File created successfully:

$ ls -la .mylogin.cnf
-rw-------. 1 urmt urmt 136 Dec 19 11:01 .mylogin.cnf
$ mysql_config_editor print --all
[client]
user = <user>
password = *****
host = <host>

3) Connect using mysql client

$ mysql <dbname>
ERROR 1045 (28000): Access denied for user '<user>'@'<host>' (using password: NO)

Is there a default value/configuration somewhere that makes the client ignore the password in mylogin.cnf? The user and host properties were read correctly from the file.

I am able to connect just fine if I provide the password on the command line:

$ mysql -p <dbname>
Enter password:
Reading table information...
...
mysql>

I get the same behavior if I define login path.
I get the same behavior if I define a clear-text file ~/.my.cnf and set the user, database, host and password there.

MySQL client version is 5.6.22, MySQL Server version is 5.6.22, both on Oracle Linux 6. Client and server are on different hosts.

Thanks

MySQL - SSL - with TLS1.2 cipher AES256-SHA256 / DHE-RSA-AES256-SHA256 (no replies)

March 17, 2015, 5:14 am
$
0
0
I have compiled MySQL with openssl, I am able to connect to MySQL over SSL with TLS1.0 ciphers. But when I tried to connect with TLS1.2 ciphers connection fails with error.
===============
MySQL server version :- 5.6.23-log Source distribution
Custom OpenSSL version :- OpenSSL 1.0.1j 15 Oct 2014
Java version :- 1.8.0_40
===============
Error thrown with TLS1.2 cipher connect :-
> mysql -umysql --ssl-cipher=DHE-RSA-AES256-SHA256 -T -v
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

User time 0.00, System time 0.00
Maximum resident set size 2664, Integral resident set size 0
Non-physical pagefaults 777, Physical pagefaults 0, Swaps 0
Blocks in 0 out 0, Messages in 0 out 0, Signals 0
Voluntary context switches 2, Involuntary context switches 5
===============
Snippet of my.cnf :-
[client]
default-character-set=utf8
ssl=ON
ssl-ca=/home/mysql-cert/ca.pem
ssl-cert=/home/mysql-cert/client-cert.pem
ssl-key=/home/mysql-cert/client-key.pem

[mysql]
default-character-set=utf8

[mysqld]
general_log=1

ssl-cipher=DHE-RSA-AES256-SHA256
ssl-cipher=AES256-SHA256
ssl-cipher=AES256-SHA
ssl-ca=/home/mysql-cert/ca.pem
ssl-cert=/home/mysql-cert/server-cert.pem
ssl-key=/home/mysql-cert/server-key.pem
===============
MySQL prompt snipeet with TLS1.0 cipher connected :-

mysql> \s
--------------
mysql Ver 14.14 Distrib 5.6.23, for Linux (x86_64) using EditLine wrapper

Connection id: 6
Current database:
Current user: root@localhost
SSL: Cipher in use is AES256-SHA
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.6.23-log Source distribution
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
UNIX socket: /tmp/mysql.sock
Uptime: 1 hour 32 min 40 sec

Threads: 1 Questions: 11 Slow queries: 0 Opens: 67 Flush tables: 1 Open tables: 60 Queries per second avg: 0.001
--------------

mysql> SHOW STATUS LIKE 'ssl%';
+--------------------------------+--------------------------+
| Variable_name | Value |
+--------------------------------+--------------------------+
| Ssl_accept_renegotiates | 0 |
| Ssl_accepts | 6 |
| Ssl_callback_cache_hits | 0 |
| Ssl_cipher | AES256-SHA |
| Ssl_cipher_list | AES256-SHA |
| Ssl_client_connects | 0 |
| Ssl_connect_renegotiates | 0 |
| Ssl_ctx_verify_depth | 18446744073709551615 |
| Ssl_ctx_verify_mode | 5 |
| Ssl_default_timeout | 7200 |
| Ssl_finished_accepts | 3 |
| Ssl_finished_connects | 0 |
| Ssl_server_not_after | Jan 23 10:29:20 2025 GMT |
| Ssl_server_not_before | Mar 17 10:29:20 2015 GMT |
| Ssl_session_cache_hits | 0 |
| Ssl_session_cache_misses | 0 |
| Ssl_session_cache_mode | SERVER |
| Ssl_session_cache_overflows | 0 |
| Ssl_session_cache_size | 128 |
| Ssl_session_cache_timeouts | 0 |
| Ssl_sessions_reused | 0 |
| Ssl_used_session_cache_entries | 0 |
| Ssl_verify_depth | 18446744073709551615 |
| Ssl_verify_mode | 5 |
| Ssl_version | TLSv1 |
+--------------------------------+--------------------------+
25 rows in set (0.00 sec)

mysql> SHOW VARIABLES LIKE '%ssl%';
+---------------+----------------------------------+
| Variable_name | Value |
+---------------+----------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /home/mysql-cert/ca.pem |
| ssl_capath | |
| ssl_cert | /home/mysql-cert/server-cert.pem |
| ssl_cipher | AES256-SHA |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /home/mysql-cert/server-key.pem |
+---------------+----------------------------------+
9 rows in set (0.00 sec)

mysql>
===============
MySQL compiled as :-
> cmake . -DCMAKE_PREFIX_PATH=/opt/scr-openssl/ssl/ -DWITH_SSL=/opt/scr-openssl/ssl/ -DWITH_OPENSSL=/opt/scr-openssl/ssl/bin/ -DWITH_OPENSSL_INCLUDES=/opt/scr-openssl/ssl/include/ -DWITH_OPENSSL_LIBS=/opt/scr-openssl/ssl/lib/ -DENABLE_DOWNLOADS=1
>make
>make install
===============

Please help me out to configure MySQL to work with TLS1.2 cipher.

Add user level permissions to MS Access by using a MySQL backend (no replies)

March 24, 2015, 6:44 am
$
0
0
I have a large Ms Access 2013 .accdb application which runs a lot of VBA code, with almost 60 users.
I developed a user level permissions mechanism using vba but now plan to migrate the back-end to MySQL community edition for enhanced speed, scalability and also explore the security available using grant permissions in MySQL. I would like to know the following:
1. Mechanism to set MySQL permissions level based on the User login in the front end login form.
2. ODBC connector details in MS Access 2013 for the above functionality.

MySQL Enterprise Firewall - Preventing SQL Injection (no replies)

April 6, 2015, 9:20 pm
$
0
0
Viewing all 306 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>