Jump to content
mudmanc4

New SQL user each DB

Recommended Posts

I have dozens of databases one for every different application other then in a couple cases two for a single app, I have always created a new user for each database , assuming that if (a) or one database was compromised , then if using the old brute force this would have to be repeated for each database.

It's getting to the point of monotony when backing them up, although I have been using navicat for a couple years to administer them, when I have to do something quick in terminal accessing the sql server and remembering each is now a futile task.

What do you do ?

Share this post


Link to post
Share on other sites
I have dozens of databases one for every different application other then in a couple cases two for a single app, I have always created a new user for each database , assuming that if (a) or one database was compromised , then if using the old brute force this would have to be repeated for each database.

It's getting to the point of monotony when backing them up, although I have been using navicat for a couple years to administer them, when I have to do something quick in terminal accessing the sql server and remembering each is now a futile task.

What do you do ?

I use pretty much one user for my databases... just make sure your password is strong. Bruteforce is pretty ineffective... unless the password is dictionary based. You should worry more about SQL injection hacks than someone actually cracking your entire DB.

Share this post


Link to post
Share on other sites

Yea I was waiting for someone to say something like that. And no , I never have used anything from the dictionary in name , user or password. More like aHgTf_44Ggf_g885j_B7lj2 crap such as this anyhow for all three.

Reading before the snow stopped this past year , sql injection is one of the top security issues.

Share this post


Link to post
Share on other sites

I use pretty much one user for my databases... just make sure your password is strong. Bruteforce is pretty ineffective... unless the password is dictionary based. You should worry more about SQL injection hacks than someone actually cracking your entire DB.

i also only use 1 user i do have other users on my MySQL but that's only for additional sites i am hosting

Share this post


Link to post
Share on other sites

mod_security dude :wink:

http://www.modsecurity.org/

You mentioned this before, I'm getting a new local server together this weekend centos 6 , which I'm not to thrill about using at the moment , none the less I plan on learning enough about mod_security to implement it production.

Why don't you just create one user that has read access on all db's? Seems so much faster.

Thanks,

EBrown

When I first started learning how to use sql and attempting to secure them , the theory was the longer the key the longer it would take the attackers script to calculate and or realize they cracked it. No matter I didnt use dictionary words. It just made sense to me to put different users.

Last time I took over a large site that someone else set up , they used crappy DB credentials , along with OScommerce , it was a disaster waiting to happen , and it eventually did.

The problem was not just in the directories , I had to hand pick through a 1GB+ database scrubbing up. Took me more then a week mostly 18+ hours each day.

Share this post


Link to post
Share on other sites

Why don't you just create one user that has read access on all db's? Seems so much faster.

Thanks,

EBrown

because the sites i am hosting i want the owners to be able to access and edit their own stuff but not each others

You mentioned this before, I'm getting a new local server together this weekend centos 6 , which I'm not to thrill about using at the moment , none the less I plan on learning enough about mod_security to implement it production.

When I first started learning how to use sql and attempting to secure them , the theory was the longer the key the longer it would take the attackers script to calculate and or realize they cracked it. No matter I didnt use dictionary words. It just made sense to me to put different users.

Last time I took over a large site that someone else set up , they used crappy DB credentials , along with OScommerce , it was a disaster waiting to happen , and it eventually did.

The problem was not just in the directories , I had to hand pick through a 1GB+ database scrubbing up. Took me more then a week mostly 18+ hours each day.

i don't like CentOS6 atm, its far to new for me to use it in production i'm using CentOS 5.7 and its running like a dream... you'd rather use RHEL? or ubuntu?

Share this post


Link to post
Share on other sites

You make a great point about using different usernames in a hosting environment. In my situation I generally do all the admin so there's no worries of someone else. I have two others that do everything themselves and they obviously have control from the ground up.

I'm not so worried about centos 6 because it's local , I plan to use it for a CVS repo and local family sites.

Installed virtualmin on centos 6 last night. Everything so far seems ok , although I prefer sendmail and usermin installs posfix by default. I've installed sendmail via yum , virtualmin will administer sendmail but at this point I haven't got the module to start sendmail.

Share this post


Link to post
Share on other sites

You make a great point about using different usernames in a hosting environment. In my situation I generally do all the admin so there's no worries of someone else. I have two others that do everything themselves and they obviously have control from the ground up.

I'm not so worried about centos 6 because it's local , I plan to use it for a CVS repo and local family sites.

Installed virtualmin on centos 6 last night. Everything so far seems ok , although I prefer sendmail and usermin installs posfix by default. I've installed sendmail via yum , virtualmin will administer sendmail but at this point I haven't got the module to start sendmail.

i'm using kloxo formerly known as lxadmin it's working real well for me though its not officially supported by CentOS 6 i don't see why it wouldn't work

and yeah even though i'm hosting the sites for free i want the people who are using it to feel they are in control as much as possible even though i ultimately have all the power

Share this post


Link to post
Share on other sites

Iv'e used lxadmin / kloxo , every time I hear someone talking about that panel I can't help but get that sick feeling, Ligesh felt it important to take his own life over it. He brought us hyperVM and so much more a simple glitch that caused a brief security vulnerability is what sent him over the edge. Sorry to bring up something like this, but I feel his name should go on as without much of his work , the virtual machine would not be as it is , so he should be remembered in a positive way.

Share this post


Link to post
Share on other sites

Iv'e used lxadmin / kloxo , every time I hear someone talking about that panel I can't help but get that sick feeling, Ligesh felt it important to take his own life over it. He brought us hyperVM and so much more a simple glitch that caused a brief security vulnerability is what sent him over the edge. Sorry to bring up something like this, but I feel his name should go on as without much of his work , the virtual machine would not be as it is , so he should be remembered in a positive way.

yeah, its one of the better panels i've found though that just works i'd really like cpanel of course but theres no point in buying a license for what i do..

Share this post


Link to post
Share on other sites

because the sites i am hosting i want the owners to be able to access and edit their own stuff but not each others

i don't like CentOS6 atm, its far to new for me to use it in production i'm using CentOS 5.7 and its running like a dream... you'd rather use RHEL? or ubuntu?

I was stating for backup reasons. Use one user to read them all when you are backing them up.

Thanks,

EBrown

Share this post


Link to post
Share on other sites

Yea I never cared before , most of them are set and forget for the most part, I still use terminal when I have to for them , automating back up has taken that place. If there's injection or who knows I have a very recent backup locally I can check the logs ban the offending ip /set / cidr and re up.

I'll take setting a standard / backup user into consideration.

Share this post


Link to post
Share on other sites

Yea I never cared before , most of them are set and forget for the most part, I still use terminal when I have to for them , automating back up has taken that place. If there's injection or who knows I have a very recent backup locally I can check the logs ban the offending ip /set / cidr and re up.

I'll take setting a standard / backup user into consideration.

I use them simply because if I lose the password to one, only a single DB is vulnerable.

Thanks,

EBrown

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...