Securing default MySQL installation

Usually a MySQL installation will also create some default databases. In case they don’t exist you can create the default databases by running this:

mysql_install_db

Setting a MySQL root password

The most important thing is to ensure that all root accounts have set passwords. For instance this is the default mysql database after a normal MySQL installation.

This a very insecure setup.

To learn how to setup a password for the MySQL root accounts or to delete the root users entirely see this short referent on MySQL commands.

Also you can see there are some entries without a User name (not only without a password). These databases are used for testing and benchmarking.

Ownership and permissions

Also you need to make sure the MySQL daemon runs under it’s own user, not some default (nobody) user. For this you must make sure that /etc/my.cnf lists this in the [Server] / [mysqld] (these 2 are synonims) section:

user=mysql

The container of the databases should be owned by the above user.

[root@i5 bin]# ls -ld /var/lib/mysql
drwxr-xr-x 4 mysql mysql 4096 Dec  1 14:51 /var/lib/mysql

More (official) reference on securing the initial default MySQL installation.

MySQL

MySQL commands – usually run from shell

Connecting to the server

mysql -h localhost -u root

The commands below asume the existance of the default databases. If this is not true take a look at securing a default MySQL installation.

Selecting a specific MySQL database

use database  # example

use mysql;

Listing tables in the selected database

show tables;

Viewing the structure of a specific table

describe table;

Retrieving some data

We’re interested to see if the root accounts (there are usually more than one, one for each possible host like 127.0.0.1, localhost, actual hostname) have set passwords.

mysql> select Host,User,Password from user;

We can see above that none of the defined account has a set password. This is a serious security hazard.

Setting passwords

set password for root@localhost = password (‘your_password’);

Setting the MySQL root password

As you can see the password is stored encrypted into the database.

Deleting rows (data entries)

We’re especially interested to delete the root mysql users that don’t have a set password.

delete from user where User = ‘root’ and Password = ”;

Delete MySQL root accounts with no set password

Creating a MySQL root account

grant all privileges on mysql.* to admin@localhost identified by ‘light’;

Create root MySQL account

After an user modification you should flush user privileges

flush privileges;

After setting the mysql root password you will no longer be able to login to root without supplying the root password.

Logging to a MySQL root account with set password

More (official) reference on MySQL users.

MySQL

Installing PHP

In order to install PHP with MySQL support you first need to install mysql, mysql-lib, mysql-server and mysql-devel. Install instructions for MySql libs.

Also you may need to install libxml2-devel in order to get xml2-config.

yum install libxml2-devel

Finally generate the makefile:

./configure –with-apxs2=/opt/apache/bin/apxs –with-mysql –prefix=/opt/php

And compile PHP:

make

make test

And install it

make install

And finally install php-mysql

yum install php-mysql

You need to make sure all these lines are found in httpd.conf:

LoadModule php5_module modules/libphp5.so

<Files *.php>

SetOutputFilter PHP

SetInputFilter PHP

</Files>

AddType application/x-httpd-php .php

Uncategorized

Installing MySQL

In order to install MySQL you need to install these:

  • mysql
  • mysql-server
  • mysql-lib
  • mysql-devel

yum install mysql mysql-lib mysql-server mysql-devel

After php and php-mysql are installed you may start MySQL:

/etc/init.d/mysqld start

And you should get this:

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:
/usr/bin/mysqladmin -u root password ‘new-password’
/usr/bin/mysqladmin -u root -h i5 password ‘new-password’

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default.  This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd mysql-test ; perl mysql-test-run.pl

MySQL

Apache IP based access

In order to use Apache to allow or deny access based on a specific IP you need mod_authz_host.

Hardware commands

Named-based virtual hosting

First you need to declare the IP used for virtual hosting with the NameVirtualHost directive:

NameVirtualHost 192.168.0.1

# ip above is just an example

# the above directive specifies that requests for this IP must be further devised

Second you need to form the VirtualHost container

<VirtualHost 192.168.0.1>

</VirtualHost>

Main sub directives

ServerName

This sets the site’s name which more importantly set the value for the HOST header specific to name-based virtual hosting.

DocumentRoot

This sets the location of the Webspace user files served to the client for the specific HOST.

ErrorLog

This specifies the path of the error log.

TransferLog

This specifies the path of the transfer log.

Example

NameVirtualHost 192.168.0.1

<VirtualHost 192.168.0.1>

ServerName site1.com

ServerAdmin [email protected]

DocumentRoot /home/site1

ErrorLog /path

TransferLog /path

</VirtualHost>

<VirtualHost 192.168.0.1>

ServerName site1.com

ServerAdmin [email protected]

DocumentRoot /home/site1

ErrorLog /path

TransferLog /path

</VirtualHost>

Uncategorized

Main Apache Directives

The main Apache configuration directives

The complete Apache directives list.

Listen

This directive sets the ip(s) and port on which the Apache server listens for connection.

Listen: 192.168.0.1:80

Instead of 192.168.0.1 the actual IP must be used. Port 80 is the regular http port and 443 is the default https port. If the server has multiple interfaces (phisical or virtual) the * character must be used to cover all IPs.

Listen *:80

User / Group

These directives set the user and the group under which the http server will be running.

ServerName

This sets the name of the server reported by Apache.

ServerRoot

This sets the locations of the server and all its files. All paths from httpd.conf will be relative to this path.

DocumentRoot

This is the WebSpace. This is the location where Apache will search for the files and folders requested by the clients.

DirectoryIndex

This sets the default file served by Apache if the client has not requested a specific file. For this to work the dir_module must be loaded.

LoadModule dir_module modules/mod_dir.so

<IfModule dir_module>

DirectoryIndex index.php index.htm index.html

</IfModule>

IndexOptions

This generates a folder’s index if there’s no file matching the options in DirectoryIndex. It needs the autoindex_module.

LoadModule autoindex_module  modules/mod_autoindex.so

IndexOptions   FancyIndexing FoldersFirst

IndexIgnore

It needs the autoindex module (mod_autoindex.so).

IndexIgnore *.jpeg

Alias

This is used to map an URL or local directory to a location outside the document tree. It requires the mod_alias.so module.

LoadModule alias_module  mod_alias.so

Alias /var /path_outsite_document_tree

There is a variant to this called ScriptAlias used for folders with CGI scripts.

Redirect

This is similar to Alias but it’s used to map a resource from local Webspace to a remote one.

Redirect /dir  http://www.site.com

ErrorLog

This sets the logging options. Some possible values for LogLevel: debug, info, notice, warn, error, crit, alert, emerg.

ErrorLog /log_path

LogLevel warn

ErrorDocument

This sets specific answers of the server in case of an specific errors (either as a message or as path to a file).

ErrorDocument  500  “Error message”

ErrorDocument  404  /error.html

Incomplete list of error numbers:

400 Bad Request – HTTP_BAD_REQUEST
401 Authorization Required – HTTP_UNAUTHORIZED
402 Payment Required – HTTP_PAYMENT_REQUIRED
403 Forbidden – HTTP_FORBIDDEN
404 Not Found – HTTP_NOT_FOUND
405 Method Not Allowed – HTTP_METHOD_NOT_ALLOWED
406 Not Acceptable – HTTP_NOT_ACCEPTABLE
407 Proxy Authentication Required – HTTP_PROXY_AUTHENTICATION_REQUIRED
408 Request Time-out – HTTP_REQUEST_TIME_OUT
409 Conflict – HTTP_CONFLICT
410 Gone – HTTP_GONE
411 Length Required – HTTP_LENGTH_REQUIRED
413 Request Entity Too Large – HTTP_REQUEST_ENTITY_TOO_LARGE
414 Request-URI Too Large – HTTP_REQUEST_URI_TOO_LARGE
500 Internal Server Error – HTTP_INTERNAL_SERVER_ERROR
501 Method Not Implemented – HTTP_NOT_IMPLEMENTED
503 Service Temporarily Unavailable – HTTP_SERVICE_UNAVAILABLE
505 HTTP Version Not Supported – HTTP_VERSION_NOT_SUPPORTED

<Directory>

This is used to set some options for a specific directory from the Webspace and it can only be used as a core setting (not in .htaccess).

<Directory /path>

Options Indexes FollowSymLinks      # example 1

AllowOverride ALL                                  # example 2

</Directory>

If AllowOverride is set on None, Apache does not even read .htaccess.

<FilesMatch>

This directive is used to restrict access to certain files. This can be used in .htaccess and regular expressions can be used.

<FilesMatch “^\.ht”>

Order allow,deny

Deny from all

</FilesMatch>

<Files>

This is equivalent to FilesMatch but the regular expression must be preceded by ~

<Files ~ “\.(gif|jp?g|png)$”>

Order allow,deny

Allow from 192.168.0.1

</Files>

mime.types

Associate a server action with the file type requested by the client. This required mod_mime.so.

LoadModule mime_module /modules/mod_mime.so

DefaultType text/plain

TypesConfig conf/mime.types

Uncategorized

Apache structure

The /bin folder

Contains various binarie:

httpd

This is the server binary itself

apachectl

This controlls the server (start, stop, restart)

htpasswd

This creates user data for Apache passworded directories.

ab

This is used for benchmarking

apxs

Apache extension tool: this is used for expanding apache by compiling new modules.

rotatelogs

This is used for rotating the Apache logs.

The /conf directory

This folder contains configuration files, mainly httpd.conf.

The /modules folder

This contains DSO modules (Dynamic Shared Objects) – binaries that are dynamicaly loaded at server startup.

Uncategorized

Apache installation

Compile options

Implicit options (DSO)

./configure –prefix=/install_path –enable-so –enable-mods-shared=all

–enable-mods-shared=all

This enables the installation of all available modules.

–enable-so

This enables modular support (DSO)

Uncategorized

dig

Query the local DNS server

dig @localhost domain

Reverse resolution query on local DNS server

dig @localhost -x ip

Query MX record from 8.8.8.8 DNS server

dig @8.8.8.8 -t MX domain

Query all records

dig -t any domain

Uncategorized