Domain Name Hosting, Java Programming - Cheap Web Hosting Blog

Chapter 12 . Security 313 Using socket-based connections By default, MySQL listens for connections both through sockets for local connections and via TCP/IP for remote connections. If you will not be connecting to MySQL from any hosts other than the MySQL server itself, you should disable the TCP/IP option in MySQL. Disabling networking prevents you from using the -h or hostoption, whether from the local machine or from other hosts on the network. Attempting to connect to a MySQL server that is not available (or not listening for connections) via TCP/IP will result in an error, as shown in Figure 12-5. Figure 12-5: Attempting to connect to a MySQL server that is not listening for connections, using TCP/IP You can disable TCP/IP-based connections by adding the –skip-networking option to the command line when starting the server. Another way to disable TCP/IP access is to add the skip-networkingoption to the [mysqld] section of the MySQL configuration file. In the future, MySQL AB may alter the connection sequence, thus altering the fin gerprint for MySQL. For older servers the fingerprint will remain the same. Changing the MySQL default port While certainly not a substitute for a firewall or for disabling TCP/IP networking, another method for slowing an attack is to change the port that MySQL listens on for connections. By default, MySQL listens on TCP port 3306 for connections. If you change the default port, a curious person who scans for port 3306 won t discover Note
Looking for affordable and reliable webhost to host and run your business application? Then look no more and go to servlet web hosting services.

312 Part III . Administration Cross- Reference Full details of installation of the MySQL server, including details on configuring the server to run as a non-privileged user, are located in Chapter 3. Firewalling the MySQL server The most effective security to protect the MySQL server from outside attack is to prevent people from the outside from gaining access to the server. Installing a fire- wall to protect the server will help to prevent access from non-trusted hosts. Using a passive firewalling solution to simply prevent attacks is a good solution. The use of a firewall stops outside or non-trusted locations from even knowing that a MySQL server is available at your location. An attacker can t gain access to your data if they can t find it. Another option is to use an active firewall that listens on common (and even uncommon) ports for a non-trusted user sending a port-scan or probe to your machines. The active firewall then completely blocks access from that IP address to all ports. If you must allow access to the MySQL server from outside the firewall, you need only allow access to the port on which MySQL listens for TCP connections. By default, this is port 3306. Further, you should only allow access to the MySQL port from specific trusted IP addresses. You could also create an SSH tunnel through a trusted host without having to open up any ports for MySQL on the firewall. Even with a firewall in place, you must make sure that trusted hosts don t serve as a launching point for attackers. Monitor these machines to make sure they are up to date and have the latest security patches. Using the active firewalling solution, you can monitor these servers to make sure they aren t originating port scans or other common probes against the servers in your network or within your trusted domain. Communicating securely with the MySQL server As of version 4 of MySQL, communication over TCP via the Secure Sockets Layer (SSL) is possible. Prior to this all communication between server and client passed unencrypted. The ambitious attacker could therefore watch traffic as it passed and gather information on data as well as user and password information. With SSL support enabled, the traffic between the MySQL server and the client is encrypted. Even if an attacker gains enough access to eavesdrop on an electronic conversation, he or she can t make sense of the resulting data. The SSL option is not enabled on a connection by default. However, you can enable it and even require it through the use of the additional user privilege system when SSL is compiled into MySQL. Note
Visit our web design programs services for an affordable and reliable webhost to suit all your needs.

Chapter 12 . Security 311 Cross-In Chapter 13 backup and recovery of MySQL databases is covered in detail. Reference Since the upgrade process is quite customized (depending on your installation), exhaustive coverage is neither possible nor desirable here. Often the solution is as simple as recompiling or overwriting an existing MySQL installation. Run the server as a non-privileged user In Linux/Unix, you can set the user account that runs the MySQL server process, mysqld. (This is as opposed to running the server process as the rootsuperuser on the system.) Figure 12-4 shows a process listing from Linux, with the server running as a non-privileged regular user called mysql. Figure 12-4: Running the MySQL server as a non-privileged user can prevent unauthorized access in the event of an exploit performed on the server. By running the server as a normal user in Linux/Unix, the server only has the same privileges as that user. In other words, if the server is exploited the attacker cannot gain further access or perform other privileged processes on the server. To enable MySQL to run as another user on the system, follow these steps: 1. Add the user, and if desired a group, to the server. This is normally accomplished via the useraddand groupadd commands. 2. Make sure the user has access to the data and server files for MySQL. This step is accomplished with a combination of chown and chmodin Linux. 3. Add the –user=username option to the mysqld command line, or add the line user = username to the my.cnf file under the [mysqld] section.
Looking for affordable and reliable webhost to host and run your business application? Then look no more and go to servlet web hosting services.

310 Part III . Administration After using a program such as netstator nmap, you should have a clearer picture of what services are running on your server. The more services you have running, the more vulnerable the server is to attack. Thus turning off all unnecessary services can save you time and headaches. MySQL Software Security Up to this point, I ve been looking at what you can do with the security of the host that runs the MySQL server. The security of the MySQL host server is an essential first step in enhancing the overall security of the database server (and thus the data). Without first securing the host server, no amount of MySQL security will keep your data safe. In this section I m going to examine what can be done with the MySQL server itself. This includes keeping the server up to date, securing communication channels, and monitoring the server status. MySQL updates Though only one piece of the security puzzle the MySQL software itself is (like any other software) susceptible to problems and security exploits. Though these have been very few and far between for MySQL, the problems can happen nonetheless. Developing a systematic approach for keeping up to date with MySQL software will assist in keeping the database safe from attack. The best method for monitoring when a new version of MySQL is released is by subscribing to the MySQL Announce mailing list. Offered for free by MySQL AB, this mailing list will give you updates when new versions of MySQL are released. Don t worry about it overcrowding your inbox; the MySQL Announce list is low-volume. Another mailing list available for MySQL is the main MySQL mailing list. This list is much higher volume as it contains questions from general users of MySQL and discussion of many MySQL-related topics. If you would like to learn more about the inner workings of MySQL, this mailing list can help. On the CD-ROM I ve included a link to the mailing list section of the MySQL Web site on the Links document on the CD-ROM with this book. When an update is released, you must make backups of your data prior to proceeding with the upgrade. This is necessary because of the inherent unknown in upgrades of any nature. I ve usually found that if I take the time to make backups nothing will go wrong but if I forego that step, inevitably something will fail.
If you are in need for chaep and reliable webhost to host your website, our recommendation is http web server services.

Chapter 12 . Security 309 Figure 12-2: The nmap program can assist in determining open ports on one of your servers. Caution Never perform port scans against any IP or server that you are not responsible for. Doing so can get you terminated by your ISP or worse! Most versions of Linux and many other operating systems include a program called netstat that can help you determine which ports your sever is using to listen to online traffic. Although netstatis a powerful program that does much more than just showing which ports are listening, that listening function is a source of potential security headaches. In Figure 12-3, for example, I run the command netstat -an to produce basic output of the ports that this server is listening on. This server is listening for connections to TCP port 22 for sshconnections, UDP ports 67 and 68 to talk to a DHCP server, and TCP port 3306 for MySQL. Figure 12-3: The netstat -an command shows the ports of this server that are available for connection.
We highly recommend you visit web and email hosting services if you need stable and cheap web hosting platform for your web applications.

308 Part III . Administration Apply patches and fixes Just keeping up with the exploits and holes that come to light in servers and software isn t enough. You must apply the patches and fixes as soon as they are released. This brings me to the simple second rule: Note Apply patches and fixes as soon as they are released. If no patch is available, try to find a workaround that effectively thwarts attacks. For example, I ve maintained a system that ran a public FTP server serving thousands of real users. Along with the real users, the FTP server also allowed anonymous access for non-paying people from all over the Internet to download files. A certain exploit against that particular FTP server could only be done by anonymous access. No patch was immediately available from the vendor, so I chose to disable anonymous access until a patch could be released. Although this is not an optimal solution, sometimes you have to disable access for a relatively short time in order to avoid a much worse alternative a non-trusted user getting administrative rights. As soon as a patch was available for the FTP server, I applied it and re- enabled anonymous access. Disable unused programs and services Every now and again, just for fun, I assist a friend with the security of his computer systems by performing a port scan of his servers. I never cease to be amazed at how many ports he leaves open for the world to take advantage of. He runs a basic Web server that also serves as an e-mail server. Such a server should have no more than three ports open: TCP port 80 for the Web server, TCP port 25 for the SMTP server and TCP port 110 for the POP3 server. Unfortunately, it doesn t stop there. He was surprised to learn that he also had an NNTP server and even an IRC server running! The lesson is summed up in another basic security principle: Note Disable unused services and verify that only the services you specify are running. Much of the problem with extraneous services being enabled stems from the default installations of many operating systems and software. My friend s problem arose because he chose default options while installing Microsoft s Internet Information Server. However, the problem isn t limited to Microsoft operating systems and software. Choosing what appear to be the default options with Red Hat Linux can also yield many invisibly enabled services that are also security problems. With a program such as nmap you can effectively scan both TCP and UDP ports of an Internet server to find unexpected ports that may be running. The nmap program is available for Linux and Windows but can scan against any IP-based host. In Figure 12-2 I run a basic nmap scan against one of my local machines.
Go visit our java server pages services for a reliable, lowcost webhost to satisfy all your needs.

Chapter 12 . Security 307 products may want to suppress all knowledge of exploits or try to keep them secret, but by far the more ethical response to security vulnerability is to produce, document, and distribute an effective patch. The availability of such patches (and a good track record for producing them in a timely manner) is one telling criterion that helps define an above-average vendor. Security focus Even though information on security is scattered across the Internet at diffuse locations, one Web site stands out as a consistent repository for reliable information: Security Focus, http://www.securityfocus.com/. Using this site an administrator can keep up with exploits and security patches as soon as they are available. The Security Focus Web site is also home to numerous mailing lists, security-related and otherwise. Figure 12-1 shows some of the mailing lists available for subscription on the Security Focus Web site. One of the most notable and famous is the Bugtraq mailing list, widely regarded as the most adept at keeping up with security issues across a wide variety of platforms. For people worried about being inundated with yet more e-mail, many high-volume lists at Security Focus offer digest- mode subscriptions as well. Figure 12-1: Some mailing lists, security-related and otherwise, available from the Security Focus Web site
If you are looking for affordable and reliable webhost to host and run your business application visit our ftp web hosting services.

306 Part III . Administration . Attacks (again, whether initiated from outside or inside) are often more aggressive and seek to disrupt, damage, or even bring down the target system. . Unauthorized use is not limited to purposeful attacks or exploits on a server or network; it can also be unintended, as in these examples: A user with too many privileges may not realize they are inappropriate, use them inefficiently or incorrectly, and waste system resources such as storage space and bandwidth. A harried developer who means no harm can unleash faulty code that disrupts a server no less than does a hacker attack. Sometimes an administrator s test of system security goes awry and interferes too much with its operation. Knowing that your system is vulnerable to disruption, whether malicious or unintentional, should shape your security policy. The least-privilege concept provides a good starting point, as in these examples: . Providing a well-thought-out set of limited privileges to a developer helps ensure that new applications for the server are realistically tested, but also limits the possible consequences of running faulty code. . Limiting users to minimal necessary privileges can thwart some attacks before they even begin. Although the usual assumption is that attacks always start outside and/or are always intentional, it s far from true. When I refer to attacks, attackers, or unauthorized uses, I have in mind a wider definition that includes both intentional and unintentional disruptions. Locating security information Many administrators and would-be administrators complain that they have trouble keeping up with updates. No central repository of information for updates and reports of exploits now exists (although that may be all to the good why give hackers any more ideas than they already have?); in the world of network security, you re largely on your own. To give you a useful starting point as you grapple with issues of network security, I ve included some online sites that can help, and interspersed this chapter with some essential security concepts to keep in mind, the first of which is as follows: Note Maintain a proactive approach to keeping up with exploits and problems with soft ware you are running. Security does require a proactive approach; keeping servers and software secure is difficult enough. Companies that want to maintain a viable reputation for their Note
If you are in need for chaep and reliable webhost to host your website, our recommendation is http web server services.

Security 12 1212 CHAPTER An oft-overlooked area of MySQL and computers in general is security. How many patches and security fixes have to come out for a Web server before an administrator updates it? How often does a server have to be broken into before an administrator turns off unnecessary services and changes unsecured default settings? These questions are not rhetorical; sooner or later, every administrator must face them. This chapter introduces some simple security rules and suggestions to improve the security of your MySQL server and the integrity of the data you keep there. Security of the MySQL Host Server The least-privilege system is a high-security approach to the assigning of access privileges to users. It requires that no unnecessary services be enabled on the server, that the server software gets regular updates as soon as they are available, and that users are not given more privileges than their work requires. If everyone subscribed to the least-privilege system, I believe there would be much less business for security consultants. Although I admit that it takes time to apply patches and keep up with security updates, the same arguments still apply: How much time does it take to repair a server damaged by unauthorized use? How valuable is your data if you can t afford to spend the time securing your systems? A good starting point in any discussion of system security is to define unauthorized use and attack in consistent, practical terms. Although the words themselves may seem obvious, attacks and unauthorized uses actually incorporate several distinct concepts: . Exploits, whether initiated from outside or inside, take advantage of a security hole for the attacker s own gain. …. In This Chapter Implementing security for the MySQL host server Setting up MySQL software security Configuring MySQL authentication and privileges Managing user accounts in MySQL Coping with common security problems ….
Note: In case you are looking for affordable and reliable webhost to host and run your j2ee application check Vision J2ee Web Hosting services.

304 Part III . Administration Other defaults may be read from the default MySQL configuration file. However, this file may refer to the wrong MySQL server. Using the –defaults-file=, you can specify the file that is read for defaults. If you don t specify a hostname, MySQL will assume that you are connecting to the server on localhost and will use the socket to connect to the server. In such an event you need to specify the location of the socket file. Do so with the -S or –socket= switch; the command looks like this: mysql –socket=/directory/socketfile.sock Summary MySQL can be and should be tuned to the physical server hardware that it is running on, and configured for the main application or applications that it will be serving. When set correctly, the MySQL server variables can improve the performance of the server and thus the applications using the database. . You can look at all the variables and settings for the server through the SHOW VARIABLES statement from within the MySQL CLI (or with the mysqladmin variables command). . Though many settings are available for a MySQL server, most of them do need not be individually configured. . MySQL comes with benchmarking and testing utilities for diagnosing server performance. . MySQL AB has included sample configuration files for different sizes and applications. . Among these configuration files, you can choose from small, medium, large, and huge implementations. . Once an example configuration file has been chosen, it should be customized for the application and installation that the MySQL server will be used for. . Customizing the server variables is a process that takes time. The administrator can change settings and then use one or all of the benchmarking utilities to test the performance of the MySQL server. . Because data and applications change, the server should be monitored for performance issues. If you notice performance degradation, further testing should reveal where bottlenecks are. …
In case you need affordable webhost to host your website, our recommendation is ecommerce web host services.