To all MySQL experts

To all MySQL experts

Postby Otto » Thu Aug 30, 2018 8:21 am

Hello,
could it be that we the save the admin password in clear text into the config file of MySQL:
$cfg['Servers'][$i]['password'] = 'myPW';

I mean if someone steals the MySQL folder he can do what ever he wants with these data.

Is there a way you can have a password for MySQL like we have with RDP which is only working on the machine where you created the password.

It seems to me very difficult to protect against download if someone is able to get access to the machine.

Thank you for your help
Otto
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
https://www.facebook.com/groups/modharbour.club
********************************************************************
User avatar
Otto
 
Posts: 6332
Joined: Fri Oct 07, 2005 7:07 pm

Re: To all MySQL experts

Postby nageswaragunupudi » Thu Aug 30, 2018 8:28 am

MySql does not require storing any usernames or passwords in any config files. Not at all necessary. None of us do it.
Regards

G. N. Rao.
Hyderabad, India
User avatar
nageswaragunupudi
 
Posts: 10632
Joined: Sun Nov 19, 2006 5:22 am
Location: India

Re: To all MySQL experts

Postby dutch » Thu Aug 30, 2018 8:45 am

Dear Otto,

you can encrypt the password that store in .INI.

But do not trim before save to ini.
Regards,
Dutch

FWH 19.01 / xHarbour Simplex 1.2.3 / BCC73 / Pelles C / UEStudio
FWPPC 10.02 / Harbour for PPC (FTDN)
ADS V.9 / MySql / MariaDB
R&R 12 Infinity / Crystal Report XI R2
(Thailand)
User avatar
dutch
 
Posts: 1542
Joined: Fri Oct 07, 2005 5:56 pm
Location: Thailand

Re: To all MySQL experts

Postby Otto » Thu Aug 30, 2018 9:20 am

Dear Mr Rao,
thank you I think I understand now what you will tell me.
If phpMyAdmin is deleted the server is working fine but without knowing the password you can’t access the databases.

Best regards
Otto
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
https://www.facebook.com/groups/modharbour.club
********************************************************************
User avatar
Otto
 
Posts: 6332
Joined: Fri Oct 07, 2005 7:07 pm

Re: To all MySQL experts

Postby Carles » Fri Aug 31, 2018 11:31 am

Otto,

It seems that your code is php. This is hosted on your server and in principle NO ONE should access your server. If someone accesses it, yoi will be a dead man.

You must differentiate windows applications / web applications. In windows you can have your user/psw inside your own exe or in external files with the encrypted data (for example *.ini files, dll files,...).

In a web environment, all configuration data is on the server and nobody (except the administrator) has access to this data.
Salutacions, saludos, regards

"...programar es fácil, hacer programas es difícil..."

UT Page -> https://carles9000.github.io/
Forum UT -> https://discord.gg/bq8a9yGMWh
Skype -> https://join.skype.com/cnzQg3Kr1dnk
User avatar
Carles
 
Posts: 1134
Joined: Fri Feb 10, 2006 2:34 pm
Location: Barcelona

Re: To all MySQL experts

Postby Otto » Fri Aug 31, 2018 10:25 pm

Hello Carles,
I mean safety also if someone can get access to the server physically.

If you have some time – for example the night porter in a hotel -
it is easy to change the administrator password of a server.
Then you have access to the system.

Then it seems hacking a root PW should be no problem:

https://www.youtube.com/watch?v=dyc5b3yT2tI

Only encryption of the data can be a solution.

Best regards,
Otto
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
https://www.facebook.com/groups/modharbour.club
********************************************************************
User avatar
Otto
 
Posts: 6332
Joined: Fri Oct 07, 2005 7:07 pm

Re: To all MySQL experts

Postby Otto » Sat Sep 01, 2018 5:23 pm

Hello,
it seems that with root access –which should be easy if you have physical access to the server- you can reset the PW.

Otto

From the MySQL forum

DIsable root password reset

Hi to all,
i'd like to know if it's possible to block and prevent the reset of root password of my mysql database, in order to increase security and avoid that someone can log to my database with root password damaging data or structure.


Only a user with root privs can reset root password without restarting the server with --skip-grant-tables, so ensure no-one except root has root privs, and that root cannot connect remotely.
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
https://www.facebook.com/groups/modharbour.club
********************************************************************
User avatar
Otto
 
Posts: 6332
Joined: Fri Oct 07, 2005 7:07 pm

Re: To all MySQL experts

Postby Carles » Sun Sep 02, 2018 8:22 am

Otto,

Otto wrote:Then it seems hacking a root PW should be no problem:
...


It's true, very easy...

Otto wrote:Only encryption of the data can be a solution.


In this case, if you use dbf you should also encrypt the data

Otto, if your server system is exposed, you should protect it too. It is one of the most important security measures
Salutacions, saludos, regards

"...programar es fácil, hacer programas es difícil..."

UT Page -> https://carles9000.github.io/
Forum UT -> https://discord.gg/bq8a9yGMWh
Skype -> https://join.skype.com/cnzQg3Kr1dnk
User avatar
Carles
 
Posts: 1134
Joined: Fri Feb 10, 2006 2:34 pm
Location: Barcelona

Re: To all MySQL experts

Postby Otto » Sun Sep 02, 2018 6:56 pm

Hello Carles,
please see my post: encrypt-decrypt word doc
viewtopic.php?f=3&t=35194&p=209458&hilit=encrypt#p209458
I resolved my problem with file encryption.
But as you see in the post to my topic I think we trust to much the MySQL security.

Otto,
Do you use a SQL-database?
Then you store the DOC-file in a BLOB-field. The SQL-database is already password-protected.


Best regards
Otto
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
https://www.facebook.com/groups/modharbour.club
********************************************************************
User avatar
Otto
 
Posts: 6332
Joined: Fri Oct 07, 2005 7:07 pm

Re: To all MySQL experts

Postby Otto » Sun Sep 02, 2018 6:57 pm

Otto wrote:Hello Carles,
please see my post: encrypt-decrypt word doc
viewtopic.php?f=3&t=35194&p=209458&hilit=encrypt#p209458
I resolved my problem with file encryption.
But as you see in the post to my topic I think we trust too much the MySQL security.

Otto,
Do you use a SQL-database?
Then you store the DOC-file in a BLOB-field. The SQL-database is already password-protected.


Best regards
Otto
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
https://www.facebook.com/groups/modharbour.club
********************************************************************
User avatar
Otto
 
Posts: 6332
Joined: Fri Oct 07, 2005 7:07 pm

Re: To all MySQL experts

Postby Otto » Sun Sep 02, 2018 9:02 pm

Hello Carles,

What is the MySQL equivalent of SQL Server 2016 Always Encrypted technology or is there anything similar in MySQL that can act as AE?

https://dba.stackexchange.com/questions/158725/what-is-the-mysql-equivalent-of-sql-server-2016-always-encrypted-technology

Conclusion
Transparent Data Encryption is extremely simple to use. However, the data protection is very limited. TDE protects the data at rest only. However, Always Encrypted is really a powerful feature. It is still not too complex to implement, and the data is completely protected. Not even a DBA can see it without having an access to the encryption keys. Hopefully, the limitations for AE, especially the collation limitation, will be removed in the future versions of SQL Server.


https://codingsight.com/transparent-dat ... encrypted/



Best regards
Otto
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
https://www.facebook.com/groups/modharbour.club
********************************************************************
User avatar
Otto
 
Posts: 6332
Joined: Fri Oct 07, 2005 7:07 pm

Re: To all MySQL experts

Postby nageswaragunupudi » Tue Sep 04, 2018 3:17 am

If we have physical access to the server, we do not need to know any usernames or passwords to see the data. What all we need is a hex editor and most program editors can do this.

Navigate to MySql/MariaDB installation folder and look for folder "data". In this folder, we see each database as a subfolder. Within each subfolder, we see every table as <tablename>.ibd. Open this *.ibd in a hex editor and view all the data in the table in plain asci.

Image

Table/Tablespace encryption protects from this.
Regards

G. N. Rao.
Hyderabad, India
User avatar
nageswaragunupudi
 
Posts: 10632
Joined: Sun Nov 19, 2006 5:22 am
Location: India

Re: To all MySQL experts

Postby Otto » Tue Sep 04, 2018 6:25 am

Dear Mr Rao
thank you for showing this. This is what I am afraid of.
As fare as I know encryption is only build in in MariaDB not in MySQL. Is this right.
Thank you and best regards
Otto
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
https://www.facebook.com/groups/modharbour.club
********************************************************************
User avatar
Otto
 
Posts: 6332
Joined: Fri Oct 07, 2005 7:07 pm

Re: To all MySQL experts

Postby nageswaragunupudi » Tue Sep 04, 2018 8:45 am

MySQL Enterprise edition provides encryption as an optional feature.

In any case, the point is that MySql/MariaDB data is as secure or insecure as your DBF data. We need to keep the server physically inaccessible to others.

Larger organizations have their own security arrangements. Small organizations can adopt simpler solutions like keeping the server inside a locked grilled box/almirah with good ventilation.
Regards

G. N. Rao.
Hyderabad, India
User avatar
nageswaragunupudi
 
Posts: 10632
Joined: Sun Nov 19, 2006 5:22 am
Location: India


Return to FiveWin for Harbour/xHarbour

Who is online

Users browsing this forum: Google [Bot] and 112 guests