Go Back   Computer Forums > General Computing > Cyber Safety and Computer Security
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 06-04-2003, 08:02 PM   #1
Solid State Member
 
Overlord's Avatar
 
Join Date: May 2003
Posts: 15
Default Court

I know you know your ****... so I would like your help...

Could you help me prevent what you did at LTI?
I have like... 6 YaBBSE boards running on my server, and am kinda a noob (don't quote me on that) at PHP and SQL. Im more of a Perl guy.

Thanks,
Overlord
http://overlord-2007.com
webmaster@overlord-2007.com
__________________

Overlord is offline   Reply With Quote
Old 06-04-2003, 08:23 PM   #2
In Runtime
 
eyelfixit's Avatar
 
Join Date: Mar 2003
Posts: 120
Default

Password protect the folder that the forum and/or portal resides in on your server.
__________________

__________________
BC Save website: http://www.bcsave.com

BC Save Forum: http://www.bcsave.com/forum

Co-author of:
http://powerbook.bcsave.com
eyelfixit is offline   Reply With Quote
Old 06-05-2003, 09:03 AM   #3
 
Join Date: May 2003
Posts: 56
Default

Quote:
Originally posted by Overlord
I know you know your ****... so I would like your help...

Could you help me prevent what you did at LTI?
I have like... 6 YaBBSE boards running on my server, and am kinda a noob (don't quote me on that) at PHP and SQL. Im more of a Perl guy.

Thanks,
Overlord
http://overlord-2007.com
webmaster@overlord-2007.com
Some "things" can be repaired / fixed while others can-not without taking control of the source / Server ... YaBB People were informed of this Overlord as were the PHP-Nuke people ... I have no idea of what the Yabb people are doing.. if anything.. with respect to certain things ... The PHP-Nuke people have exhausted all efforts with improvements / patches ... It's rather difficult to make full 100% improvements when the source writer insists nothing is wrong like Patrick Clinger of "Proboards" ...

These are not the only organizations / code / servers with "flaws" but one has to procede with caution ... What you are asking of me now Overlord were my intentions on my initial visit to the other PHP LTI forum.. prior to certain negitive events taking place ...

Other problems we now have are as follows :

1) We have advised certain people of such flaws and they either ignored and or refused to do anything about them ... << Continuation >> Others have also mentioned with complaints of such problems but recieved the same response ...

2) Once negitive actions are taken against anything connected to perticular codes.. the source writer (at times) may develope an intrest ... <<>> This is the area where caution must be exercised ... For anyone to obtain so-called secure data.. security has to be breached ... Yes.. the writer will patch the vulnerabilities but breaching security to discover these vulnerabilities is another story in itself ...
Some writers are grateful while others will seek legal action for certain actions taken as discovering such vulnerabilities ...

3) I did on numerous occasions state nobody ment any harm what so ever ... The staff members of the LTI forum decided to multi post complaints on numerous message boards concerning what has taken place ... <<>> This here along with the embarrassment of the forum Admin's and code writers.. is where adding additional secure code is risky ... <<>> How would you like someone advising you of certain flaws.. you ignore them, they decide to re-config your server to suit their needs.. how would you deal with that ? ( Take into consideration your personallity is not the personallity of others online ) ...


Quote:
Originally posted by eyelfixit
Password protect the folder that the forum and/or portal resides in on your server.
^^Eyelfixit Response : ^^

Password protect the folder ?.. lol ... What good will that do when direct access to the database can be obtained ? ... That is like installing security bars on your windows and doors to your home as the intruder has the key ... I have to smile at the self induced sense of security ...

Sincerely
CourtneyDS

Ps : Overlord.. read your PM

Court
CourtneyDS is offline   Reply With Quote
Old 06-05-2003, 02:55 PM   #4
Solid State Member
 
Overlord's Avatar
 
Join Date: May 2003
Posts: 15
Default

ok, sorry Eye. Usuly Im on your side... but that was kinda a stupid responce. Passwrod protection only workes if the request is through Apache (HTTP).

Thank you Court
Overlord is offline   Reply With Quote
Old 06-05-2003, 04:54 PM   #5
In Runtime
 
eyelfixit's Avatar
 
Join Date: Mar 2003
Posts: 120
Default

No need to be sorry, I mis read the question. I can admit when I'm wrong.

Here is some information to prevent direct access to the database:

How to Make MySQL Secure Against Crackers:

When you connect to a MySQL server, you normally should use a password. The password is not transmitted in clear text over the connection, however the encryption algorithm is not very strong, and with some effort a clever attacker can crack the password if he is able to sniff the traffic between the client and the server. If the connection between the client and the server goes through an untrusted network, you should use an SSH tunnel to encrypt the communication.

All other information is transferred as text that can be read by anyone who is able to watch the connection. If you are concerned about this, you can use the compressed protocol (in MySQL Version 3.22 and above) to make things much harder. To make things even more secure you should use ssh. You can find an Open Source ssh client at http://www.openssh.org/, and a commercial ssh client at http://www.ssh.com/. With this, you can get an encrypted TCP/IP connection between a MySQL server and a MySQL client.

If you are using MySQL 4.0, you can also use internal OpenSSL support. See section 4.3.9 Using Secure Connections.

To make a MySQL system secure, you should strongly consider the following suggestions:

Use passwords for all MySQL users. Remember that anyone can log in as any other person as simply as mysql -u other_user db_name if other_user has no password. It is common behaviour with client/server applications that the client may specify any user name. You can change the password of all users by editing the mysql_install_db script before you run it, or only the password for the MySQL root user like this:
shell> mysql -u root mysql
mysql> UPDATE user SET Password=PASSWORD('new_password')
-> WHERE user='root';
mysql> FLUSH PRIVILEGES;
Don't run the MySQL daemon as the Unix root user. This is very dangerous, because any user with the FILE privilege will be able to create files as root (for example, ~root/.bashrc). To prevent this, mysqld will refuse to run as root unless it is specified directly using a --user=root option. mysqld can be run as an ordinary unprivileged user instead. You can also create a new Unix user mysql to make everything even more secure. If you run mysqld as another Unix user, you don't need to change the root user name in the user table, because MySQL user names have nothing to do with Unix user names. To start mysqld as another Unix user, add a user line that specifies the user name to the [mysqld] group of the `/etc/my.cnf' option file or the `my.cnf' option file in the server's data directory. For example:
[mysqld]
user=mysql
This will cause the server to start as the designated user whether you start it manually or by using safe_mysqld or mysql.server. For more details, see section A.3.2 How to Run MySQL As a Normal User.
Don't support symlinks to tables (this can be disabled with the --skip-symlink option). This is especially important if you run mysqld as root as anyone that has write access to the mysqld data directories could then delete any file in the system! See section 5.6.1.2 Using Symbolic Links for Tables.
Check that the Unix user that mysqld runs as is the only user with read/write privileges in the database directories.
Don't give the PROCESS privilege to all users. The output of mysqladmin processlist shows the text of the currently executing queries, so any user who is allowed to execute that command might be able to see if another user issues an UPDATE user SET password=PASSWORD('not_secure') query. mysqld reserves an extra connection for users who have the PROCESS privilege, so that a MySQL root user can log in and check things even if all normal connections are in use.
Don't give the FILE privilege to all users. Any user that has this privilege can write a file anywhere in the filesystem with the privileges of the mysqld daemon! To make this a bit safer, all files generated with SELECT ... INTO OUTFILE are writeable by everyone, and you cannot overwrite existing files. The FILE privilege may also be used to read any world readable file that is accessible to the Unix user that the server runs as. One can also read any file to the current database (which the user need some privilege for). This could be abused, for example, by using LOAD DATA to load `/etc/passwd' into a table, which can then be read with SELECT.
If you don't trust your DNS, you should use IP numbers instead of hostnames in the grant tables. In any case, you should be very careful about creating grant table entries using hostname values that contain wildcards!
If you want to restrict the number of connections for a single user, you can do this by setting the max_user_connections variable in mysqld.
__________________
BC Save website: http://www.bcsave.com

BC Save Forum: http://www.bcsave.com/forum

Co-author of:
http://powerbook.bcsave.com
eyelfixit is offline   Reply With Quote
Old 06-05-2003, 04:55 PM   #6
In Runtime
 
eyelfixit's Avatar
 
Join Date: Mar 2003
Posts: 120
Default

Access Control:

Access to information contained in the tables must be properly regulated. This can be done with control over direct access to the tables, and also through views. Views and privileges assigned to the views can be created to limit users to only see specified portions of data contained within a table [2]. Through the use of the selects, projections and joins, existing relations between tables in a relational database, as well as a single table, can be created. Control over the read, insert, update and delete commands must also be assigned appropriately within those views.

Specific MySQL Security Considerations:

many variables that are mentioned in the following discussion are set in the “my.cnf” file. The location of this depends on how the MySQL database is installed. Essentially, you can create the file on your own, or use one of the handy sample files that come with the distribution (see the “support-files” directory). Then, if you would like the parameters to apply all MySQL users, you can place the “my.cnf” file in /etc. If you want the parameters to apply to specific users, then you can set the file in their respective home directory as “.my.cnf”. Make sure that the appropriate permissions are applied to the file wherever it resides, ensuring that the unauthorizedusers cannot write to it.

SSL an MySql:

I have considered many things here to design into the database itself, but one item that needs to be considered is how the traffic is transmitted between the client and the server. If the data is sensitive and/or going over the Internet, then SSL should be employed. Version 4.0 of MySQL will satisfy this requirement. To have your version of MySQL use SSL, configure it with the following flags: --with-vio --with-openssl.

Add-Ons:

As is the case with a lot of popular freeware tools, MySQL has spawned many other tools that can help improve the management of MySQL databases; thus, making the improving the security of the databases as well. If you are looking for a tool to help scan your network for blank MySQL passwords, try this MySQL Network Scanner script. It was originally compiled for Linux and to scan a class C network, but could be modified if needed.

Other stuff:

it is important to keep in mind that other layers of security apply when hosting a database, such as network and operating system security.

Several steps can be taken to secure the default mysql installation.

Comments:

mysql is a free DBMS for many platforms. When you install it there are various unnecessary features enabled that should be disabled to enhance security.

Root Password
When you first install mysql, be it from a source tarball or from a RPM, you must set the 'root' password. This is the password that can be used to control all of the tables, mysql startup/shutdown, etc. To do this type the command;

mysqladmin -u root password 'new-password'

Default Users and Tables
mysql also ships with two default users and default 'test' tables. The default users are for connecting to the DBMS without specifying a password, so removing these users is obviously a very good security measure. There are also entries so that tables called or starting with 'test' can be world-writable. These should also be disabled for obvious reasons. To do so, you must first go into the DBMS:

mysql -uroot -p mysql
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 1 to server version: 3.22.32

Type 'help' for help.

Now we execute the two commands to delete the desired entries:

mysql> DELETE FROM user WHERE User = '';
mysql> DELETE FROM db WHERE Host = '%';
__________________
BC Save website: http://www.bcsave.com

BC Save Forum: http://www.bcsave.com/forum

Co-author of:
http://powerbook.bcsave.com
eyelfixit is offline   Reply With Quote
Old 06-06-2003, 04:14 PM   #7
 
Join Date: May 2003
Posts: 56
Default

As I stated in some-other thread somewhere else Overlord.. I will
periodically review "changes" ( If any ) ... Personally speaking.. it looks pretty good ... Take into consideration that not to many people know the "work arounds".. so there isn't really to much to worry about ...

You doing a great job and any other way I can assist.. feel free to ask ...

Sincerely
CourtneyDS
__________________
$socket = IO::Socket::INET->new(Proto => "udp") or die "Socket error: $@\n";
$ipaddr = inet_aton($host);
$portaddr = sockaddr_in($port, $ipaddr);
send($socket, $buf, 0, $portaddr) == length($buf) or die "Can't send: $!\n";
print "Now, '$host' must be dead : )\n";
CourtneyDS is offline   Reply With Quote
Old 06-06-2003, 04:19 PM   #8
Solid State Member
 
Overlord's Avatar
 
Join Date: May 2003
Posts: 15
Default

Thanks

And now that you mention it... I might nead you to look at a perl script.

http://overlord-2007.com/cgi-bin/register.cgi
Pat and I coded it.

If you need FTP or shell (not that you probably can't get it your self) access, let me know.


[edit] I can't spell [/edit]
Overlord is offline   Reply With Quote
Old 06-06-2003, 04:27 PM   #9
Site Team
 
David Lindon's Avatar
 
Join Date: Dec 2002
Posts: 15,233
Default

Quote:
Software error:
/*(<|>)*/: ?+*{} follows nothing in regexp at register.cgi line 38.

For help, please send mail to the webmaster (support@overlord-2007.com), giving this error message and the time and date of the error.
__________________
[url=http://www.LNXPS.NET]LNXPS.NET - The XPS Library]
David Lindon is offline   Reply With Quote
Old 06-06-2003, 04:34 PM   #10
Solid State Member
 
Overlord's Avatar
 
Join Date: May 2003
Posts: 15
Default

http://overlord-2007.com/register.htm

You have to fill that out first.
__________________

Overlord is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 05:37 AM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0