The document discusses security best practices for deploying MariaDB in production environments. It notes that the majority of HTTP attacks target PHPMyAdmin and vulnerable WordPress plugins. It recommends securing MariaDB by using firewalls, authentication, data encryption, and auditing. MaxScale can provide additional security features like database filtering, load balancing, and query transformation. The document also covers GDPR compliance requirements and how technologies like MariaDB and MaxScale help meet them.
2. “The majority of the HTTP attacks were made to PHPMyadmin, a popular
MySQL and MariaDB remote management system. Many web content
management systems, not to mention WordPress, rely on these these
databases. Vulnerable WordPress plugins were also frequently attacked.
Mind you, this was on a system that even in honeypot mode hadn't emitted
a single packet towards the outside world.”
ZDNet - Jan 23rd 2018
4. GDPR
• It is the harmonization of:
– Processes
• Process flows
• Prevention and reaction procedures
– Technological solutions
• Encryption
• Preudonymisation
• Anonymisation
• Data Accessibility
• Auditing
– Compliance
• Keep the pace with the regulation
5. GDPR
– The Requirements
• Data is protected
• Risk protection and prevention
• The harmonisation of processes and technology
European companies
and/or companies
located outside EU
that handle the data
of EU citizens must
guarantee:
6. GDPR
– The Processess
• Companies need to have deep knowledge their Data
Supply Chain
• All the W questions need to have an answer
• A top-down approach is usually recommended
The 5 Ws…
…plus one
7. GDPR
– The Technology
GDPR says that:
• It is mandatory to “implement appropriate technical
and organisational measures, to ensure a level of
security appropriate to the risk including inter alia,
as appropriate: the pseudonymisation and
encryption of personal data ...”
The right technology will
help businesses meet
the requirements of
GDPR both now and in
the future
Reference: GDPR Art 32
8. GDPR
– The Technology
Must prevent:
• Unauthorised access to the database
• Unauthorised access to all the other database related
files (log files, configuration files, passwords…)
• Data integrity breach
• Untrusted access to the database from the Clients
The right technology will
help businesses meet
the requirements of
GDPR both now and in
the future
9. GDPR
– The Tecnology
How to protect the database:
• Firewalling
• Autentication
• Data in motion encryption
• Tablespace encryption
• Data at rest encryption
• Backup encryption
• Auditing
The right technology will
help businesses meet
the requirements of
GDPR both now and in
the future
10. GDPR – MariaDB Enterprise Security
• Detect and prevent attacks
– Access management
– Denial of service
– SQL Injections
• Protect data at rest with encryption
– Tablespaces, Individual tables, logs
• TSL/SSL Encryption
– Protects data in motion
• Auditing for Security and Compliance
• MaxScale database firewall features
• MaxScale selective data masking
14. MariaDB MaxScale Concept
DATABASE
SERVERS
MASTER
SLAVES
Binlog Cache
Insulates client applications
from the complexities
of backend database cluster
Simplify replication
from database
to other databases
CLIENT
PROTOCOL SUPPORT
AUTHENTICATION
PARSING
DATABASE MONITORING
LOAD BALANCING & ROUTING
QUERY TRANSFORMATION & LOGGING
Flexible, easy to
write plug-ins for
Generic Core
MULTI-THREADED
E-POLL BASED
STATELESS
SHARES THE THREAD POOL
15. MaxScale Firewalling – The Details
• A filter installed into the request processing chain.
• Rules define what constitutes a match:
– wildcard, columns, function, regex, no where clause
– when to apply
– what users are affected
– what statements are affected
• The filter mode defines what to do with a match:
– allow => whitelist
– block => blacklist
• limit_queries rule sensible only with blacklisting
– match if more than N queries are made within a time period
MaxScale
Filter
Router
Database Servers
16. MaxScale Filtering Rules
Database Firewall Filter
Allow/Block queries that
MATCH A SET OF RULES
MATCH RULES FOR SPECIFIED USERS
MATCH ON
• date/time
• a WHERE clause
• query type
• column match
• a wildcard or regular expression or function name
Protect against SQL injection
Prevent unauthorized data access
Prevent data damage
QUERY FAILED: 1141
ERROR: Required
WHERE/HAVING clause is missing
rule safe_select deny
no_where_clause
on_queries select
rule safe_cust_select deny
regex '.*from.*customers.*'
user %app-user@% match
all rules safe_cust_select
safe_select
DATABASE FIREWALL FILTER
SELECT * FROM CUSTOMERS;
MaxScale
Database Servers
1
2
3
17. MaxScale
Filtering: SQL
Injections
• What is a SQL Injection?
• A kind of web application attack, where user-
supplied input comes from:
URL – www.app.com?id=1
Forms – email=a@app.com
Other elements – e.g., cookies, HTTP headers
and is manipulated so that a vulnerable
application executes SQL commands injected by
attacker.
18. Who Can Be
Affected by a SQL
Injection?
• An Example:
• Applications
vulnerable to SQL
injection:
– Incorrect type
handling
– Incorrectly
filtered escape
characters
– Blind SQL
injection
– Second order SQL
injection
SELECT * from customer WHERE id = ?
User supplied value for id = 5, injected value is string ‘5 OR 1=1’
SELECT * from customer WHERE id = 5 OR 1=1
This will result in application getting access to entire customer
table instead of just the specific customer
http://www.unixwiz.net/techtips/sql-injection.html
20. MaxScale Security – DDoS Protection
DDoS Protection
MAXIMUM ROWS FILTER
• Return zero rows to client if
number of rows in result set
exceeds configured max limit
• Return zero rows to client if
the size of result set exceeds
configured max size in KB
Max Rows Limit = 500
NumRows Returned >
MaxRows Limit
QUERY FAILED: 1141
ERROR: No rows returned
51
QUERY
4 MaxRowsLimit FILTER
Clients
NumRows returned = 100032
Database Servers
QUERY
21. MaxScale Security – DDoS Protection
• Persistent connections to backend.
– When server connections are logically closed, keep them
in pool for reuse.
• Client connection limitation.
– Specify the maximum number of connections for a
particular service.
maxscale.cnf[SomeServer]
...
maxpersistpoolmax=30
[SomeService]
...
max_connections=100
maxscale.cnf
Max Client Connections per
Service
Connection pool of
configurable size
Variable number of
connections
Client Client Client Client
22. MaxScale Security – DDoS Protection
• Cap the amount that can be returned.
– By rows or by size or both
– Data will be returned to MaxScale, but MaxScale will not
necessarily forward to client.
• Limit rate of queries using the firewall.
MaxRows Filter
Max Rows Limit = 500
NumRows returned = 1000
Query failed: 1141
Error: No rows returned
Client Client Client Client
firewall.txtrule prevent_overload deny limit_queries 15 5 10
[LimitSize]
type=filter
module=maxrows
max_resultset_rows=500
maxscale.cnf
If more than 15 queries are received in 5 seconds, block all queries for 10 seconds.
23. Security: Data Redaction
SELECT Name, creditcardNum, balance
FROM customerTbl
WHERE id=1001
Name creditcardNum balance
---------------------------------------
John Smith xxxxxxxxxx 1201.07
Database Servers
Client
Data Redaction via Data Masking
Masking based on column name
• DATABASE NAME, TABLE NAME
CLASSIFIER MAY BE PROVIDED
– commerceDb.customerTbl.creditcardNum
– customerTbl.creditcardNum
– credicardNum
• COLUMN CAN BE
– Fully or partially masked
– Obfuscated
HIPPA, PCI and GDPR needs
26. Client-MaxScale-MariaDB Encryption
Secured Connection
SSL between Clients and MaxScale
SSL between MaxScale and MariaDB
server
Secured user access
LDAP/GSSAPI for secured
single sign-on across OS
platforms(windows, linux),
applications and databases
Client Client Client Client
SSL
SSL SSL
SSL
SSL
27. Client-MariaDB and MariaDB-MariaDB Encryption
Secured user access
LDAP/GSSAPI for secured
single sign-on across OS
platforms(windows, linux),
applications and databases
Client
Client
SSL
SSL
Database Servers
SSL
Secured Connection
SSL between Clients and MariaDB
SSL between MariaDB Master and
Slaves
34. MariaDB comes with two
password validation
plugins
• simple_password_check plugin
– Can enforce a minimum password length
– guarantee that a password contains at least a specified
number of upper and lowercase letters, digits, and
punctuation characters
• cracklib_password_check plugin
– A widely used library
– Stop users from choosing easy to guess passwords. It
includes checks for not allowing passwords based on
the username or a dictionary word etc.
Password
Validation
35. • PAM-Authentication Plugin
– allows using /etc/shadow and any PAM based
Authentication like LDAP
• Kerberos-Authentication
– as a standardized network authentication protocol is
provided GSSAPI based on
UNIX and SSPI based on Windows
External
Authentication
Single Sign On is getting
mandatory in most
Enterprises.
36. MariaDB PAM Authentication
GSS-API on Linux
• Red Hat
Directory Server
• OpenLDAP
SSPI on Windows
• Active DirectoryKDC Client MariaDB
2
3
4
1
Ticket
request
Service
ticket
Here is my
service ticket,
authenticate me
Client /
server
session
37. MariaDB Role Based Access Control
Database
Tables
MariaDB 10
Role: DBA
Permissions:
• Update Schema
• View Statistics
• Create Database
40. MariaDB Audit Plugin
• Logs server activity
– Who connected to the server
– Source of connection
– Queries executed
– Tables touched
• File based or syslog based logging
• Monyog Audit log file filtering
Auditing for Security and Compliance
Connection Disconnect
Connect
Failed Connect
Timestamp
Host User
SessionQuery DML + TCL
DDL
DCL
Object
Tables
Database
42. MariaDB TX – Per User Limit
MaxScale
Client -
MaxScale
MaxScale -
MariaDB
Client -
MariaDB
MariaDB -
MariaDB
43. New User
Management
Functions
• MAX_*_PER_HOUR
– Create_User can limit the number of queries, updates or
connections per hour.
• MAX_USER_ CONNECTIONS
– limits the number of simultaneous connections
• MAX_STATEMENT_TIME
– any query (excluding stored procedures) taking longer than the
value of max_statement_time (specified in seconds) to
execute will be aborted. This can be set globally, by session, as well
as per user and per query
• SHOW CREATE USER
– is useful way to see the command required to create a user for
auditing or the creation of similar accounts.
44. New User
Management
Functions
• Examples:
– CREATE USER foo2@test IDENTIFIED BY
'password';
CREATE USER 'foo4'@'test'
REQUIRE ISSUER 'foo_issuer'
SUBJECT 'foo_subject'
CIPHER 'text'
CREATE USER foo
WITH MAX_QUERIES_PER_HOUR 10
MAX_UPDATES_PER_HOUR 20
MAX_CONNECTIONS_PER_HOUR 30
MAX_USER_CONNECTIONS 40;
46. Threats
Viruses
Hacker attacks
Software spoofing
Defense
• Do not allow TCP connections to
MariaDB from the Internet at large.
• Configure MariaDB to listen on
a network interface that is only
accessible from the host where
your application runs.
• Design your physical network to
connect the app to MariaDB or MaxScale
• Use bind-address to bind to
a specific network interface
• Use your OS’s firewall
• Keep your OS patched
The Internet
47. Threats
Denial of Service
Attacks created by
overloading application
SQL query
injection attacks
Defense
• Do not run your application
on your MariaDB Server.
• Do not install unnecessary packages
on your MariaDB Server.
• An overloaded application can use so
much memory that MariaDB could
slow or even be killed by the OS. This is
an effective DDoS attack vector.
• A compromised application or service
can have many serious side effects
– Discovery of MariaDB credentials
– Direct access to data
– Privilege escalation
Applications
48. Threats
Disgruntled employees
Mistakes and human error
Defense
• Limit users who have:
– SSH access to your MariaDB
server.
– Sudo privileges on your MariaDB
server.
• Set the secure_file_priv option to
ensure that users with the FILE
privilege cannot write or read MariaDB
data or important system files.
• Do not run MariaDB process (mysqld)
as root
• Avoid wide hostname wildcards (“%”),
use specific host names / IP addresses
Excessive Trust
49. Threats Defense
• Do not use the MariaDB “root”
user for application access.
• Grant only the privileges required
by your application.
• Minimize the privileges granted
to the MariaDB user accounts used
by your applications
– Don’t grant CREATE or
DROP privileges.
– Don’t grant the FILE privilege.
– Don’t grant the SUPER privilege.
– Don’t grant access to the
mysql database
Excessive Trust
Disgruntled employees
Mistakes and human error
50. MariaDB Security Gets Stronger
All the Time
MariaDB User Community
Quickly
identifies new
threats
Creates
solutions
Reports
vulnerabilities
Contributes
features