16 replies to this topic

[mudmanc4]

I have dozens of databases one for every different application other then in a couple cases two for a single app, I have always created a new user for each database , assuming that if (a) or one database was compromised , then if using the old brute force this would have to be repeated for each database.

It's getting to the point of monotony when backing them up, although I have been using navicat for a couple years to administer them, when I have to do something quick in terminal accessing the sql server and remembering each is now a futile task.

What do you do  ?

[CA3LE]

mudmanc4, on 27 October 2011 - 03:46 PM, said:

I have dozens of databases one for every different application other then in a couple cases two for a single app, I have always created a new user for each database , assuming that if (a) or one database was compromised , then if using the old brute force this would have to be repeated for each database.

It's getting to the point of monotony when backing them up, although I have been using navicat for a couple years to administer them, when I have to do something quick in terminal accessing the sql server and remembering each is now a futile task.

What do you do  ?

I use pretty much one user for my databases... just make sure your password is strong.  Bruteforce is pretty ineffective... unless the password is dictionary based.  You should worry more about SQL injection hacks than someone actually cracking your entire DB.

[mudmanc4]

Yea I was waiting for someone to say something like that. And no , I never have used anything from the dictionary in name , user or password.  More like aHgTf_44Ggf_g885j_B7lj2  crap such as this anyhow for all three.

Reading before the snow stopped this past year , sql injection is one of the top security issues.

[CA3LE]

mod_security dude

http://www.modsecurity.org/

[TriRan]

CA3LE, on 28 October 2011 - 02:06 PM, said:

I use pretty much one user for my databases... just make sure your password is strong.  Bruteforce is pretty ineffective... unless the password is dictionary based.  You should worry more about SQL injection hacks than someone actually cracking your entire DB.

i also only use 1 user i do have other users on my MySQL but that's only for additional sites i am hosting

[EBrown]

Why don't you just create one user that has read access on all db's? Seems so much faster.

Thanks,
EBrown

[mudmanc4]

CA3LE, on 28 October 2011 - 07:06 PM, said:

mod_security dude

http://www.modsecurity.org/

You mentioned this before, I'm getting a new local server together this weekend centos 6  , which I'm not to thrill about using at the moment , none the less I plan on learning enough about mod_security to implement it production.

EBrown, on 29 October 2011 - 12:58 PM, said:

Why don't you just create one user that has read access on all db's? Seems so much faster.

Thanks,
EBrown

When I first started learning how to use sql and attempting to secure them , the theory was the longer the key the longer it would take the attackers script to calculate and or realize they cracked it. No matter I didnt use dictionary words. It just made sense to me to put different users.

Last time I took over a large site that someone else set up , they used crappy DB credentials , along with OScommerce , it was a disaster waiting to happen , and it eventually did.
The problem was not just in the directories , I had to hand pick through a 1GB+ database scrubbing up. Took me more then a week mostly 18+ hours each day.

[TriRan]

EBrown, on 29 October 2011 - 12:58 PM, said:

Why don't you just create one user that has read access on all db's? Seems so much faster.

Thanks,
EBrown

because the sites i am hosting i want the owners to be able to access and edit their own stuff but not each others

mudmanc4, on 29 October 2011 - 03:27 PM, said:

You mentioned this before, I'm getting a new local server together this weekend centos 6  , which I'm not to thrill about using at the moment , none the less I plan on learning enough about mod_security to implement it production.

When I first started learning how to use sql and attempting to secure them , the theory was the longer the key the longer it would take the attackers script to calculate and or realize they cracked it. No matter I didnt use dictionary words. It just made sense to me to put different users.

Last time I took over a large site that someone else set up , they used crappy DB credentials , along with OScommerce , it was a disaster waiting to happen , and it eventually did.
The problem was not just in the directories , I had to hand pick through a 1GB+ database scrubbing up. Took me more then a week mostly 18+ hours each day.

i don't like CentOS6 atm, its far to new for me to use it in production i'm using CentOS 5.7 and its running like a dream... you'd rather use RHEL? or ubuntu?

[mudmanc4]

You make a great point about using different usernames in a hosting environment. In my situation I generally do all the admin so there's no worries of someone else. I have two others that do everything themselves and they obviously have control from the ground up.

I'm not so worried about centos 6 because it's local , I plan to use it for a CVS repo and local family sites.

Installed virtualmin on centos 6 last night. Everything so far seems ok , although I prefer sendmail and usermin installs posfix by default. I've installed sendmail via yum , virtualmin will administer sendmail but at this point I haven't got the module to start sendmail.

[TriRan]

mudmanc4, on 30 October 2011 - 09:36 AM, said:

You make a great point about using different usernames in a hosting environment. In my situation I generally do all the admin so there's no worries of someone else. I have two others that do everything themselves and they obviously have control from the ground up.

I'm not so worried about centos 6 because it's local , I plan to use it for a CVS repo and local family sites.

Installed virtualmin on centos 6 last night. Everything so far seems ok , although I prefer sendmail and usermin installs posfix by default. I've installed sendmail via yum , virtualmin will administer sendmail but at this point I haven't got the module to start sendmail.

i'm using kloxo formerly known as lxadmin it's working real well for me though its not officially supported by CentOS 6 i don't see why it wouldn't work

and yeah even though i'm hosting the sites for free i want the people who are using it to feel they are in control as much as possible even though i ultimately have all the power

[mudmanc4]

Iv'e used lxadmin / kloxo , every time I hear someone talking about that panel I can't help but get that sick feeling, Ligesh felt it important to take his own life over it. He brought us hyperVM and so much more a simple glitch that caused a brief security vulnerability is what sent him over the edge. Sorry to bring up something like this, but I feel his name should go on as without much of his work , the virtual machine would not be as it is , so he should be remembered in a positive way.

[TriRan]

mudmanc4, on 31 October 2011 - 04:47 AM, said:

Iv'e used lxadmin / kloxo , every time I hear someone talking about that panel I can't help but get that sick feeling, Ligesh felt it important to take his own life over it. He brought us hyperVM and so much more a simple glitch that caused a brief security vulnerability is what sent him over the edge. Sorry to bring up something like this, but I feel his name should go on as without much of his work , the virtual machine would not be as it is , so he should be remembered in a positive way.

yeah, its one of the better panels i've found though that just works i'd really like cpanel of course but theres no point in buying a license for what i do..

[EBrown]

TriRan, on 30 October 2011 - 09:23 AM, said:

because the sites i am hosting i want the owners to be able to access and edit their own stuff but not each others




i don't like CentOS6 atm, its far to new for me to use it in production i'm using CentOS 5.7 and its running like a dream... you'd rather use RHEL? or ubuntu?

I was stating for backup reasons. Use one user to read them all when you are backing them up.

Thanks,
EBrown

[mudmanc4]

EBrown, on 31 October 2011 - 01:28 PM, said:

[....] Use one user to read them all when you are backing them up.
Thanks,
EBrown

Makes sense

[EBrown]

mudmanc4, on 31 October 2011 - 01:50 PM, said:

Makes sense

That's what I usually end up doing. Because regardless of my setup admin wise, each DB get's a dedicated user.

Thanks,
EBrown

[mudmanc4]

Yea I never cared before , most of them are set and forget for the most part, I still use terminal when I have to for them , automating back up has taken that place. If there's injection or who knows I have a very recent backup locally I can check the logs ban the offending ip /set / cidr and re up.

I'll take setting a standard / backup user into consideration.

[EBrown]

mudmanc4, on 31 October 2011 - 02:00 PM, said:

Yea I never cared before , most of them are set and forget for the most part, I still use terminal when I have to for them , automating back up has taken that place. If there's injection or who knows I have a very recent backup locally I can check the logs ban the offending ip /set / cidr and re up.

I'll take setting a standard / backup user into consideration.

I use them simply because if I lose the password to one, only a single DB is vulnerable.

Thanks,
EBrown