Skip to main content

Securing MySQL (Java / Php Developers) 

This Article would be useful to the people those who are using MySQL on a server
connected to the Internet and hosted a web application (Developed using
Java or/and PHP) on same server. This would also allow users to avoid a common
security mistakes and Java developer to understand an issue related to UNIX socket.
Usually MySQL uses port 3306 by default. This port should not be accessible
from un-trusted hosts and should be closed, unless you really have a good
reason to keep it open.
This can be done on Server’s firewall or router, however MySql provides its own
security options like
1. skip-networking
2. bind-address

1. skip_networking
This option was added in MySQL 3.22.23 and is recommended for systems where only
local clients are allowed.To enable this option, put “skip-networking” in the mysql
configuration file (/etc/mysql/my.conf).
If this option is ON the server allows only local (non-TCP/IP) connections. Any
clients (even clients running on the same host) using the remote connection method,
are refused. 
On UNIX, local connections use a UNIX socket file (“/tmp/mysql.sock”). On Windows,
local connections use a named pipe. 
Note: UNIX domain socket and named pipe are other mechanisms of inter process
communication.
  General Developer’s view to Implement:
      Implementation Complexity      -       Low
   Effort to Implement            -       Low
   Access Speed                   -       Fastest 
Advantages:
This approach provides secure and fastest way of communication.
Disadvantages:
This approach will not work with the Operating systems those which are only
supporting TCP/IP communication like NetWare OS.
In Java (Programming language), only TCP/IP connections are supported, so switching
ON this variable will not allow Java program to connect to the MySql Server.
Reason (What I found on the internet):Unix Domain Sockets are platform dependent
and Java is platform independent, so Java does not support UNIX domain sockets.
Hence, Connector/J (A JDBC Driver) can only make connections over TCP/IP.
   Alternative solution for Java Developers:
   Implement JNI (Java native interface), as suggested in the link http://forum.java.sun.com/thread.jspa?threadID=5164644&messageID=9634552
    General Developer’s view to Implement: 
        Implementation Complexity      -        High
   Effort to Implement            -        High
   Access Speed                   -        Slower than TCP/IP
           communication.
2.bind-address:
This is an easiest way to only bind MySQL to the loopback interface 127.0.0.1
(localhost). Just put “bind-address=127.0.0.1” in place of “skip-networking” in
the mysql configuration file (/etc/mysql/my.conf). This makes sure nobody can
connect to your MySQL daemon via the network.
   General Developer’s view to Implement:
      Implementation Complexity      -        Low
   Effort to Implement            -        Low
   Access Speed                   -        Faster than JNI approach
            and a bit slower than
             “Socket communication”.
Note: - MySql will listen on the port 3306, only for localhost (Will not allow
others). Brainstormed on security implication, my thinking towards above approach
is also safe as it would allow connection to localhost only. 

Advantage:
Java people can utilize this approach without putting effort to implement JNI
solution.

Disadvantage: 
Other services would not be able to use port 3306.
Conclusion:
Using “skip-networking” option is easy, safe and fast if you are not using Java
otherwise either implement JNI or use bind-“address=127.0.0.1” option.
 
Refer:
--------------
Securtiy related MySql options
http://dev.mysql.com/doc/refman/5.0/en/privileges-options.html
--------------
http://forge.mysql.com/wiki/Error2003-CantConnectToMySQLServer#MySQL_Server_accepts_no_remote_clients.2C_only_local_clients
http://dev.mysql.com/doc/refman/5.0/en/dns.html
http://www.webmasterworld.com/forum10/6141.htm
http://forge.mysql.com/wiki/Error2003-CantConnectToMySQLServer#MySQL_Server_accepts_clients_only_on_same_host
Labels:

Comments

Anonymous said…
Good going techno guy! Write something on XML too.
July 16, 2008 at 10:36 PM
Post a Comment

Popular posts from this blog

Java and “\u” ( blackslash u )

This article is related to escaping of “\u” backslash u [Unicode character] in Java Problem Statement: I have a string which consists of a DOS path something like "\sample\user_data\example".The “\u” (backslash u) in “\user_data” above gives “an invalid Unicode” JavaScript error in IE and hence my page isn’t displayed. I tried to replace “\u” (backslash u) in the string with something like "\ u"(backslash u) as I was not able to escape it. This also does not work . Java complier does not allow “\u” (backslash u) character and gives "Invalid unicode character sequence" error when I use it with replaceAll. Que 1: Can I escape the \u character some how in Java or JavaScript? Que 2: How can I replace all "\u" character in a string with something else like "\ u"? I have posted this query to some of the Java and JavaScript related groups. Here are the solutions I found Before going into the details about solution let us
Post a Comment
Read more

MySQL :: tinyInt1isBit

One can enter values apart from 0 and 1 (say 2,3,?100) in a field with tinyint(1) type in MySql. MySql doesn?t complain. Now if you want to read inserted data using PHP it will return value as it is, however this will not work with Java. Java will throw an exception while reading same MySql data. Java treats tinyint(1) as Boolean and returns only true or false. Two solution either we can make our column tinyint(something > 1), or can add the connection property 'tinyInt1isBit=false' to our JDBC URL. Adding connection property 'tinyInt1isBit=false' to JDBC URL is risky since it will affect entire database data while reading the same using Java. Refer : http://forums.mysql.com/read.php?39,10652,10669#msg-10669
Post a Comment
Read more

Every thing about ConcurrentHashMap

Why ConcurrentHashMap is better than Hashtable and just as good as a HashMap http://www.codercorp.com/blog/java/why-concurrenthashmap-is-better-than-hashtable-and-just-as-good-hashmap.html Why ConcurrentHashMap does not support null values http://anshuiitk.blogspot.com/2010/12/why-concurrenthashmap-does-not-support.html
Post a Comment
Read more