Feb 25, 2009

A grave mistake with passwords

One grave security–related mistake that I saw twice this month was related to passwords.
You are aware of the TYPO3 vulnerability that allows attackers to read localconf.php file. Lots of sites were attacked and hackers got passwords to some of them.

There is one thing that could make matters much worse and let hackers to exercise a full control over your web site. This thing is: using the same user name and password pair for both MySQL database and ssh login.
It may sound incredible but it is truth. Some people (and even some hosting providers!) use the same user name and password for both MySQL and ssh. Now imagine what happens if a hacker gets localconf.php. MySQL username and password is there in clear text. Those, who use the same access credentials for ssh, give access to the their server for free to hackers!
Fortunately preventing such problems is easy. One of these measures will help (in order of preference):
  • use only public key authentication for ssh (howto) and disable ssh login with passwords completely
  • change ssh login password using passwd command or your hosting panel
  • change MySQL user password
Don't make it easy for hackers to get to your site! Protect it! Use stronger passwords! If you can't invent a stronger password yourself, get 1Password (Mac only!) or SmrtPass (Windows) or some other program that will generate good passwords for you. Keep your assets safe!

3 comments:

  1. You're right and i want to add something else:



    Create a new mysql user with just the rights needed for running typo3 and use that instead of the main mysql user.

    ReplyDelete
  2. Normally there should be NO access to the database from outside at all! In 99.9% of all applications there is no need to access the database from outside the server, so you could add a firewall rule that only allows access from localhost. If someone still needs access to the database this could be done through a SSH tunnel.

    ReplyDelete
  3. Jochen, you are right of course.



    In the article I wanted to emphasize that ssh user name and password should never be stored in clear text. Thus it may not be the same as mysql user name and password.

    ReplyDelete