asked on
mySQL Hardening
I'd like some good links documenting how best to harden mySql.
We've learned we were hacked via a Cold Fusion exploit and would like to prevent future occurences.
We've learned we were hacked via a Cold Fusion exploit and would like to prevent future occurences.
Microsoft SQL ServerMySQL ServerColdFusion Language
Last Comment
_agx_
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks. That was from yesterday :-)
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Yes, we believe it was a Cold Fusion exploit, but the programmer asked for some input on mySQL hardening in general.
Well, those are two totally different things. For CF specific exploits, be sure to check http://hackmycf.com.
Though as mentioned, CF's interaction with mySQL is mostly just handing off SQL strings for execution. So securing access primarily involves securing ALL queries with cfqueryparam ie bind variables. You can also mitigate some damage by restricting the operations allowed by the CF DSN in the CF Admin. The default is "all": SELECT, UPDATE, DELETE, CREATE, GRANT etc... but you can customize it by disabling operations not needed in your application.
As for securing mySQL itself, that's not really related to CF specifically. Perhaps some of the mySQL experts were scared off by the mention of CF? Might want to modify the question to ask about securing mySQL in general. I'll leave the specific advice about MySQL to the MySQL gurus, but there are a lot of general tips on securing mySQL, such as this one.
Though as mentioned, CF's interaction with mySQL is mostly just handing off SQL strings for execution. So securing access primarily involves securing ALL queries with cfqueryparam ie bind variables. You can also mitigate some damage by restricting the operations allowed by the CF DSN in the CF Admin. The default is "all": SELECT, UPDATE, DELETE, CREATE, GRANT etc... but you can customize it by disabling operations not needed in your application.
As for securing mySQL itself, that's not really related to CF specifically. Perhaps some of the mySQL experts were scared off by the mention of CF? Might want to modify the question to ask about securing mySQL in general. I'll leave the specific advice about MySQL to the MySQL gurus, but there are a lot of general tips on securing mySQL, such as this one.
ASKER
Thanx again. The items in the 'this one' :-) is what i've put on the list so far and i'll be adding your comment to that. In our case, the boss for some reason did not apply a CF patch which would have prevented that exploit.
Other hardening mentioned elsewhere such as stored procedures, and prepared statements were not supported by mySQL way way back when he first started using mySQL so i'm not sure how i'll present those to him :-)
Other hardening mentioned elsewhere such as stored procedures, and prepared statements were not supported by mySQL way way back when he first started using mySQL so i'm not sure how i'll present those to him :-)
As long as you add cfqueryparam to all query parameters - you're essentially getting the benefits of prepared statements: performance, bind variables. PS's are what CF uses behind the scenes anyway.
> Other hardening mentioned elsewhere such as stored procedures,
Stored procs have some advantages ie Easier to centralize permissions and db logic. It's easier to perform complex sql. But stored procs don't offer any performance or security benefits over proper use of cfqueryparam AFAIK.
Though watch out for stored procs that use dynamic sql - notoriously insecure.
> Other hardening mentioned elsewhere such as stored procedures,
Stored procs have some advantages ie Easier to centralize permissions and db logic. It's easier to perform complex sql. But stored procs don't offer any performance or security benefits over proper use of cfqueryparam AFAIK.
Though watch out for stored procs that use dynamic sql - notoriously insecure.