In honor of ApacheCon Europe, held this past week, we will be going over a very basic implementation of an Apache web server. Ivan Ristic, author of “Apache Security” spoke at ApacheCon where he presented “Web Intrusion Detection with ModSecurity.” Rich Bowen, author of “The Definitive Guide to Apache mod_rewrite” (and a few other titles) on his blog DrBacchus Journal did a post titled “ApacheCon EU 2008 so far.” Rich had this to say about Ivan’s talk, “His talk was fabulous.” He goes on to elaborate, “I’m sure that everything Ivan talked about is in the docs, but his talk was amazingly valuable anyway, since it showed me things in one hour that would probably have taken me months to discover. And I’ve been using mod_security for years already, and wasn’t aware of them, or didn’t quite understand the syntax.” Nick Kew agrees with Rich. On Nick’s blog NIQ’s Soapbox, his posting “Putting ones money where ones mouth is ….” had this to say, “The highlight of today was Ivan Ristic’s mod_security talk: that module is getting seriously interesting.”

If you are interested in hearing more about ApacheCon, the keynote sessions have been made available for free off the Linux Magazine web site. The available presentations consist of:

• Jim Jagielski, Chairman of the Apache Software Foundation, starts off with his talk “State of the Feather.” To quote from the program, “Join ASF Chairman Jim Jagielski for a review of events and progress over the last 12 months within the Apache Software Foundation. Jim will detail the growth of the ASF, both in members as well as projects, discuss the noteworthy achievements of the ASF during that time period, and preview what the next 12 months likely hold for the pre-eminent open source foundation.“
• Cliff Schmidt, Executive Director of Literacy Bridge, discusses “Using Audio Technology and Open Content to Reduce Global Illiteracy.” To quote from the program, “During this talk, Cliff will share his observations from Ghana and discuss Literacy Bridge’s Talking Book Project. Literacy Bridge was founded to empower children and adults with tools for scalable knowledge sharing and literacy learning. The Talking Book Project is Literacy Bridge’s major program, developing new and affordable digital audio technology to provide vital, locally generated information and literacy training to people with limited access to either.”
• Rishab Aiyer Ghosh, Open Source Initiative Board Member, presents “Apache and Steam Engines: the Magic of Collaborative Innovation.” To quote from the program, “Rishab looks at collaborative model of creativity, from 18th century steam engines to the human genome project and discusses why and how collaborative creativity works. Using data from the FLOSS studies, he shows how this makes free software a continuing source of economic value and innovation around the world.”
• Roy Fielding, Co-founder of The Apache Software Foundation, and Vice President, Apache HTTP Server, discussed “Apache 3.0 (a Tall Tale)”. To quote from the program, “Thirteen years ago, the Apache Group founders finished the first beta release of Apache httpd, having reached the end of their initial pile of small improvements, and began to look forward to a complete rewrite of the server architecture. Suddenly, our forward progress slowed to a trickle, mailing list traffic dropped by two-thirds, and our focus diverged…Today, we face a new chasm, and our past successes have only made it wider and deeper than before. This talk is about the other side.“

I am with Rich and Nick, Ivan’s work with ModSecurity is extremely interesting and we will build towards implementing it. First, we need to start simple for there are many steps in the process. This post will provide references for setting up an Apache server, followed by a simple implementation. For additional information, particularly in the area of security, see my previous post “Securing Apache: References.”

Some folks might ask, “why not simply install XAMPP or MAMPP (depending on your system)?” Installing binaries is one way to go. With something as important as the web server, taking the easiest path is not necessary the best option. Compiling from source provides the most power and flexibility to change things according to your priorities. You gain control over such issues as compile time options, modules, and when to upgrade (verses waiting for security patches and upgrades to come out in binary format). While it might not be the easiest path, it is vital in learning what is going on with your system and helping avoid integration problems in the future.

Documents and Articles

Below are a few documents and articles that are most helpful when setting up Apache.

• Apache Security by Ivan Ristic. When it comes to the Apache web server, Ivan is the man to listen to. His book, truly is the complete guide to securing your Apache web server. It is an excellent resource.
• Compiling and Installing document created by The Apache Software Foundation. A great deal of information on Apache is available, not surprisingly, off the Apache HTTP server site.
• Securing Apache 2: Step-by-Step by Ivan Ristic. This is a shorter, more compact article appearing in SecurityFocus.
• Security Tips document created by The Apache Software Foundation. A very good source of information on securing the Apache HTTP server. The best place to go to ensure you have the most up-to-date information on securing the server.

Benchmarks

The Center for Internet Security is a non-profit enterprise that helps develop security configuration benchmarks. The stated mission of CIS is to “reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls.” They have created the document “CIS Level 1 & 2 Benchmark and Scoring Tool for the Apache Web Server.” The document was last updated, as of this writing, on January 2008. The download file consists of:

• CIS_Apache_Benchmark_v2.1.pdf – the Benchmark document contains detailed instructions for implementing the steps necessary for CIS Level 1 and Level 2 sec.
• cis_score_tool_apache_v2.10.sh.gz – a Host-based Scoring Tool scores the security of a system against the Benchmark and creates a variance report.

Additional information is available off the site.

Forums and Blogs

Most of the forums and blogs that I am familiar with deal with security issues involved with web servers. See my “Securing Apache: References” post for those links.

Installing Apache

If Apache was not installed with your operating system, or if you wish to compile from source, you will need to download the latest Apache from the Apache web site. For this document, I will go through pulling down Apache version 2.2. Please consult the Apache HTTP Server Version 2.2 Compiling and Installing documentation for additional information.

 root# cd /usr/local/src
 /usr/local/src root# wget http://mirrors.isc.org/pub/apache/httpd/httpd-2.2.8.tar.gz
 /usr/local/src root# tar xzf httpd-2.2.8.tar.gz

At this point, you need to check the integrity. There as two ways to do this. First, is by calculating the MD5 sum of the source and comparing it to the signature file. Mac OS X users, please note use the command /sbin/md5 instead of md5sum.

 /usr/local/src root# md5sum httpd-2.2.8.tar.gz
39a755eb0f584c279336387b321e3dfc  httpd-2.2.8.tar.gz

 /usr/local/src root# wget -O - -q http://www.apache.org/dist/httpd/httpd-2.2.8.tar.gz.md5
39a755eb0f584c279336387b321e3dfc  httpd-2.2.8.tar.gz

The second method, uses public-key cryptography to verify the integrity of the files. This is more complicated, but more secure. The MD5 sums can be circumvented if an intruder compromises the main distribution site and replaces the signature files. Using public-key cryptography can be done using GnuPG, the free software version of the OpenPGP. Most Unix systems has it installed by default. The installation is fairly straight forward, no matter what OS you are using:

1. Install GnuPG. For Mac OS X, you would want to install Mac GnuPG. For Windows, you will need WinPT.
2. Optionally, under Unix you might want to install a graphical front-end for GnuPG.
3. Generate a pair of keys.

Apache developers use their cryptographic keys to sign the distributions digitally. We are going to download the PGP signature, fetch the GnuPG unique key ID (DE885DD3), and then check the signature.

 /usr/local/src root# wget http://www.apache.org/dist/httpd/httpd-2.2.8.tar.gz.asc
 /usr/local/src root# gpg --keyserver pgpkeys.mit.edu --recv-key DE885DD3
gpg: requesting key DE885DD3 from HKP keyserver pgpkeys.mit.edu
gpg: trustdb created
gpg: key DE885DD3: public key "Sander Striker " imported
gpg: Total number processed: 1
gpg:               imported: 1

 /usr/local/src root# gpg httpd-2.2.8.tar.gz.asc
gpg: Signature made Sat Jan 18 07:21:28 2003 PST using DSA key ID DE885DD3
gpg: Good signature from "Sander Striker "
gpg:                 aka "Sander Striker "
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Fingerprint: 4C1E ADAD B4EF 5007 579C  919C 6635 B6C0 DE88 5DD3

 /usr/local/src root# gpg --fingerprint DE885DD3
pub  1024D/DE885DD3 2002-04-10 Sander Striker 
     Key fingerprint = 4C1E ADAD B4EF 5007 579C  919C 6635 B6C0 DE88 5DD3
uid                            Sander Striker 
sub  2048g/532D14CA 2002-04-10

To verify DE885DD3 was created by the real Sander Striker, download public keys for the Apache HTTP Server developers from the Apache HTTP Server Project website. Officially, you should validate by face-to-face communication with multiple government-issued photo identification confirmations. Trust can be a complicated issue. For more information on determining what level of trust, please read the GNU Privacy Handbook section on Validating other keys on your public keyring.

Let us get back to compiling Apache.

 /usr/local/src root# cd httpd-2.2.8
 /usr/local/src/httpd-2.2.8 root# ./configure --prefix=/usr/local/apache
 /usr/local/src/httpd-2.2.8 root# make
 /usr/local/src/httpd-2.2.8 root# make install

There is more to be done. The above configuration was to help in determining the Apache modules that are compiled be default. The following modules, should not be used unless needed:

The following modules will be require for use with later postings. If you are sure you do not need theses modules, do not include them, and make sure not to include them in the below configuration.

To determine which modules would be installed by default, issue the following command.

 /usr/local/src/httpd-2.2.8 root# ./httpd -l
Compiled in modules:
  core.c
  mod_authn_file.c
  mod_authn_default.c
  mod_authz_host.c
  mod_authz_groupfile.c
  mod_authz_user.c
  mod_authz_default.c
  mod_auth_basic.c
  mod_include.c
  mod_filter.c
  mod_log_config.c
  mod_env.c
  mod_setenvif.c
  prefork.c
  http_core.c
  mod_mime.c
  mod_status.c
  mod_autoindex.c
  mod_asis.c
  mod_cgi.c
  mod_negotiation.c
  mod_dir.c
  mod_actions.c
  mod_userdir.c
  mod_alias.c
  mod_so.c

Now, we are going to change the modules that get installed. We are going to add Secure Sockets Layer (SSL) support with the “–enable-ssl” switch. In a later post, we will discuss how to use this cryptographic protocols to provide secure communications between clients and our web browser. Unless you are sure you do not want SSL support, include the “–enable-ssl” switch.

For folks compiling on Mac OS X 10.5, the “–enable-ssl” switch will give you problems. As of this writing, Leopard is using OpenSSL version 0.9.71 from September 2006. There have been some changes made since then. You could upgrade, but as mentioned before, you do not know what installed software is dependent on that library. It would be nice if Apple had upgraded with the release of a new OS, but you have to play the cards Steve Jobs has dealt. The MacPorts Project have the latest version of OpenSSL, 0.9.8g from October 2007. In order to get Apache to compile, I would recommend using the most recent OpenSSL library. If you need help with MacPorts, please see my posting “MacPorts Under Mac OS X Leopard.” Special Mac OS X installation instruction follow.

For non Mac OS X operating systems, do the following to configure, compile and install Apache:

 /usr/local/src/httpd-2.2.8 root# make clean
 /usr/local/src/httpd-2.2.8 root# /bin/rm -r /usr/local/apache
 /usr/local/src/httpd-2.2.8 root# CC=gcc \
CFLAGS="-O3 -fno-omit-frame-pointer" \
./configure --prefix=/usr/local/apache \
--enable-rewrite \
--enable-so \
--disable-imap \
--disable-userdir --with-mpm=worker --enable-ssl
 /usr/local/src/httpd-2.2.8 root# make
 /usr/local/src/httpd-2.2.8 root# make install

For Mac OS X, you need to tell the compiler which libraries to use so the more recent OpenSSL is used. Do that with the following commands:

 /usr/local/src/httpd-2.2.8 root# make clean
 /usr/local/src/httpd-2.2.8 root# /bin/rm -r /usr/local/apache
 /usr/local/src/httpd-2.2.8 root# CC=gcc \
CFLAGS="-O3 -fno-omit-frame-pointer" \
LDFLAGS="-L/opt/local/lib -L/usr/lib" \
./configure --prefix=/usr/local/apache --enable-rewrite \
--enable-so --disable-imap --disable-userdir \
--with-mpm=worker --enable-ssl
 /usr/local/src/httpd-2.2.8 root# make
 /usr/local/src/httpd-2.2.8 root# make install

Configuration

It is time to configure and make the Apache server more secure. Ivan Ristic have made available “Chapter 2: Installation and configuration.” Follow the chapter, do not just copy. For demonstration purposes, I’ll be using what is written in that chapter to configure the Apache web server. There are various configuration options and you want to configure the server for your environment. It is very important to understand what is contained in your configuration file.

Create the user and group httpd, from which the Apache web server will run. Under most versions of Unix (not Mac OS X), this is a simple matter of executing the following commands:

 /usr/local/src/httpd-2.2.8 root# cd /usr/local/apache
 /usr/local/apache root# /usr/sbin/groupadd httpd
 /usr/local/apache root# /usr/sbin/useradd httpd -g httpd -d /dev/null -s /sbin/nlogin

Under Mac OS X, there is no groupadd or useradd command. Things are always more interesting under Mac OS X. Prior to Leopard (10.5), you would have to determine which group ids (gid) have been used, choose an unused gid, and then create the httpd group using that gid. This would be accomplished with the commands:

 root# nireport . /groups gid name
 root# nicl . -create /groups/httpd
 root# nicl . -append /groups/httpd unique-gid
 root# nicl . -append /groups/httpd passwd "*"
 root# nireport . /groups gid name

Once creating the group, you would need to create a new user by finding an unused uid, create the user, fill in the user attributes, add a password, create a home area, and finally set permissions. This would be accomplished with the commands:

 root# nireport / /users name uid
 root# niutil -create / /users/httpd
 root# niutil -createprop / /users/httpd uid uid-from-above
 root# niutil -createprop / /users/httpd gid gid-from-above
 root# niutil -createprop / /users/httpd realname "Web Server"
 root# niutil -createprop / /users/httpd home "/dev/null"
 root# niutil -createprop / /users/httpd shell "/sbin/nologin"
 root# niutil -createprop / /users/httpd passwd "*"

NetInfo, the system configuration database, no longer exists in Mac OS X 10.5 (Leopard). The entire structure for managing local users, groups, and other such things has been completely replaced by Local Directory Services. In Leopard, the DirectoryService daemon does the job of the DirectoryService, lookupd, and the memberd daemons. Please see previous posting, “Backing Up Using Amanda on Mac OS X Leopard Part I” for additional details. There is now a command line utility dscl to perform some advanced functions formerly covered by NetInfo Manager. Creating the group httpd and user httpd would be done with the following commands:

 root# dscl . list /groups PrimaryGroupID | sort -k 2,2 -n
 root# dscl . create /groups/httpd gid gid-of-httpd
 root# dscl . create /groups/httpd passwd '*'
 root# dscl . read /groups/httpd
AppleMetaNodeLocation: /Local/Default
Password: *
PrimaryGroupID: gid-of-httpd
RecordName: httpd
RecordType: dsRecTypeNative:groups

 root# dscl . list /users UniqueID | sort -k 2,2 -n
 root# dscl localhost -create /Local/Default/Users/httpd
 root# dscl localhost -create /Local/Default/Users/httpd RecordName httpd
 root# dscl localhost -create /Local/Default/Users/httpd UserShell /sbin/nologin
 root# dscl localhost -create /Local/Default/Users/httpd RealName "Web Server"
 root# dscl localhost -create /Local/Default/Users/httpd UniqueID a-unique-uid
 root# dscl localhost -create /Local/Default/Users/httpd PrimaryGroupID gid-of-httpd
 root# dscl localhost -create /Local/Default/Users/httpd NFSHomeDirectory /dev/null
 root# dscl . read /users/httpd
AppleMetaNodeLocation: /Local/Default
GeneratedUID: generated-unique-id
NFSHomeDirectory: /dev/null
PrimaryGroupID: gid-of-httpd
RealName:
 Web Server
RecordName: httpd
RecordType: dsRecTypeNative:users
UniqueID: a-unique-uid
UserShell: /sbin/nologin

As part of the installation, the file /usr/local/apache/conf/httpd.conf is created. Move that configuration for safe keeping and start with an empty configuration file. Add the required functionality to ensure only the needed directives and modules are included. Also, adjust file permissions. Mac OS X users note that there is no group “root.” Please use the group “admin” instead.

 /usr/local/src/httpd-2.2.8 root# cd /usr/local/apache
 /usr/local/apache root# mv /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.orig
 /usr/local/apache root# chown -R root:root /usr/local/apache
 /usr/local/apache root# find /usr/local/apache -type d | xargs chmod 755
 /usr/local/apache root# find /usr/local/apache -type f | xargs chmod 644
 /usr/local/apache root# chmod u+x  /usr/local/apache/bin/*
 /usr/local/apache root# mkdir -p /var/www/logs
 /usr/local/apache root# mv /usr/local/apache/htdocs /var/www/htdocs
 /usr/local/apache root# find /var/www/ -type d | xargs chmod 755
 /usr/local/apache root# find /var/www/ -type f | xargs chmod 644
 /usr/local/apache root# chmod -R go-r /usr/local/apache/conf
 /usr/local/apache root# chmod -R go-r /usr/local/apache/logs
 /usr/local/apache root# chmod -R go-r /var/www/logs
 /usr/local/apache root# vi /usr/local/apache/conf/httpd.conf

Create a configuration file /usr/local/apache/conf/httpd.conf similar to the following file (adjust to your requirements):

# Location of the web server files
ServerRoot /usr/local/apache
# Location of the wev server tree
DocumentRoot /var/www/htdocs
# Listen on which port
Listen 80
# Store the PID of the main Apache process
PidFile /var/www/logs/httpd.pid
# Do not enables DNS lookups on client IP addresses
HostNameLookups Off
#
User httpd
Group httpd
# Deny access to the complete filesystem and then allow access
# to the document root.
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /var/www/htdocs>
Order Allow,Deny
Allow from all
</Directory>
# Enable CGI Scripts
<Directory /var/www/cgi-bin>
Options ExecCGI
SetHandler cgi-script
</Directory>
# Logging
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog /var/www/logs/access_log combined
LogLevel info
ErrorLog /var/www/logs/error_log
# Setting Server Configuration Limits
# wait up to 300 seconds for slow clients
TimeOut 60
# allow connections to be reused between requests
KeepAlive On
# allow a maximum of 100 requests per connection
MaxKeepAliveRequests 100
# wait up to 15 seconds for the next
# request on an open connection
KeepAliveTimeout 15
# impose no limits on the request body
LimitRequestBody 64000
# allow up to 100 headers in a request
LimitRequestFields 100
# each header may be up to 8190 bytes long
LimitRequestFieldsize 8190
# the first line of the request can be
# up to 8190 bytes long
LimitRequestLine 8190
# limit the XML request body to 1 million bytes(Apache 2.x only)
LimitXMLRequestBody 1000000
# the maximum number of processes
ServerLimit 16
# how many processes to start with
StartServers 2
# how many threads per process to create
ThreadsPerChild 25
# minimum spare threads across all processes
MinSpareThreads 25
# maximum spare threads across all processes
MaxSpareThreads 75
# maximum clients at any given time
MaxClients 150
# Preventing Information Leaks
ServerSignature Off
ServerTokens ProductOnly
<FilesMatch "(^\.ht|~$|\.bak$|\.BAK$)">
Order Allow,Deny
Deny from all
</FilesMatch>

At this point, you are ready to bring up the Apache web server. Clean up any unnecessary files.

 /usr/local/src/httpd-2.2.8 root# /bin/rm -r /usr/local/apache/cgi-bin
 /usr/local/src/httpd-2.2.8 root# /bin/rm -r /usr/local/apache/manual
 /usr/local/src/httpd-2.2.8 root# /usr/local/apache/bin/apachectl configtest
 /usr/local/src/httpd-2.2.8 root# /usr/local/apache/bin/apachectl start

If you have any problems, take a look at /var/www/logs/error_log. This is a very basic and clean Apache web server configuration. It is a starting point from which we will build upon in future postings.

Conclusion

I started this post with a quote from William Faulkner concerning how “only when the clock stops does time come to life.” Or if you prefer the despair.com quote, “Get to work: You aren’t being paid to believe in the power of your dreams.” I’ll be honest with you, doing a post on Apache implementation is not my idea of an exciting post. I would much rather jump ahead and start talking about securing web applications at a higher level. Sometimes, one has to build up to the more exciting stuff in order to demonstrate that one is not just selling pipe dreams with no real way to make those ideas a reality. That is the difference between science and science fiction. Bernard of Chartres once wrote, “We are like dwarfs standing upon the shoulders of giants, and so able to see more and see farther than the ancients.” Only the hard work of the ancients has allowed us to see further and dream bigger. At some point, to make those dreams a reality, getting to work in the annoying details of life is a requirement.

With my recent post, “Introduction to SQLite,” I have received some questions concerning MySQL. Many fine books have been written on MySQL and those books cover MySQL much better than a simple blog post could ever hope to do. Still, there are some interesting links that might be useful for those looking to setup a MySQL server. The purpose of this post is to introduce the reader to sources of information on MySQL and follow up with some basic installation instructions. The sources linked in this post will provide a starting point to find additional in-depth discussions on MySQL.

Theres is no definitive source of information for MySQL. No “Hitchhikers Guide to MySQL.” The closest source fitting that description would be, “MySQL 5.0 Reference Manual.” While it contains a wealth of information, it is somewhat boring. The good news is a wealth of information from different sources does exist. These sources focus in on different areas of interest, allowing you to access material on what is important to you. While Douglas Adams might not have been involved in writing any MySQL references, at least you can choose to delve into details on topics that interest you in formats that may hold your attention (books, articles, podcasts, slides, videos).

Documents and Articles

There is nothing like the printed document when doing an installation, even if it is in electronic format. As Prof. Joseph M. Jacobson once stated, “If books had been invented after the computer, they would have been considered a big breakthrough. Books have several hundred simultaneous paper-thin, flexible displays. They boot instantly. They run on very low power at a very low cost.” Below are a few documents and articles that are most helpful when setting up MySQL.

• MySQL 5.0 Reference Manual – the best place to start is the reference manual. Generally, I prefer printed version verses accessing material online. Since the reference manual is 2372 pages, I would suggest keeping to the electronic version. In relation to security, please pay particular attention to:
  • 2.9. MySQL Installation Using a Source Distribution.
  • 5.3. General Security Issues.
  • 5.4. The MySQL Access Privilege System.
  • 5.5. MySQL User Account Management.
• Center for Internet Security Benchmark for MySQL Versions 4.1, 5.0, and 5.1 Community Editions by Mike Eddington, Leviathan Security Group.
• MySQL: The Complete Reference, chapter 14: Security, Access Control, and Privileges by Vikram Vaswani.
• 10 steps to fortify the security of your MySQL installation.
• Securing MySQL: step-by-step by Artur Maj.
• Secure MySQL Database Design by Kristy Westphal.
• Security and the real world by Kristian Köhntopp.
• How MySQL Treats Security Vulnerabilities by Kaj Arno.
• Getting started with MySQL Proxy by Giuseppe Maxia.

Forums and Blogs

Documents and articles are great, but frequently they can become out of date. While most details remain the same even after versions advance or the software is implemented under different operating systems, the devil is always in the details. Forums and blogs are a good source for finding resolution to those annoying details that can stop an installation cold. Below is a listing of a few forums and blogs that might be of great help if you run into one of those devilish details.

• MySQL Forums – this forum is off the MySQL site and there are many forums of special interest, including a Security Forum. If you run into problems with the installation, there is an Install Forum.
• Planet MySQL – offers blogs, news, and opinions on MySQL. If you try to access blogs.mysql.com, you will be redirected to planetmysql.org.
• Sheeri by Sheeri Kritzer Cabral, MySQL and Oracle DBA for The Pythian Group. Also see her podcast, OurSQL MySQL Database Podcast.
• Roland Bouman’s blog, by Roland Bouman, Training Course Curriculum Developer for MySQL AB and contributor to O’Reilly Databases site.
• The Data Charmer by Giuseppe Maxia, Database Analyst and Designer. Contributor to O’Reilly Databases site (and a whole lot more).
• MikeKruckenbery by Mike Kruckenberg, coauthor of Pro MySQL.
• MySQL-dump.
• MyQSL QA by Jonathan Miller, Senior Lead Quality Assurance Developer.
• MySQL Musings by Mats Kindahl, lead developer at MySQL with replication as main focus.
• Senior MySQL DBA Blog by Farhan Mashraqi.
• MySQL Performance Blog by Peter Zaitsev.

Slides/Videos

One of the more interesting way to view information on many a topic is through having it given in a presentation. The speaker has to reduce topics to bullet points and hopefully do the presentation in an interesting and informative manner. While many of the below presentations were given at conferences and user groups across the planet, the presentations have been generously provides for online access. Below are a few videos and slides to serve as an introduction on MySQL topics.

• MySQL Basics by Chad Godfirnon
• An Overview of the MySQL Engine and its Latest Features by Timour Katchaounov
• 5.1 In Depth by Brian Aker
• A Googly MySQL Cluster Talk by Stewart Smith
• Performance Tuning Best Practices for MySQL by Jay Pipes, co-author of Pro MySQL (Apress, 2005)
• MySQL Community Meetup: MySQL Proxies by Alan Kasindorf
• MySQL Backups by Sheeri Kritzer
• Scalability: YouTube Scalability by Cuong Do Cuong
• MySQL Security by Sheeri Kritzer Cabral
• Testing the Security of Your Site by Sheeri Kritzer Cabral
• Auditing MySQL for Security and Compliance by Mehlam Shakir
• Why Are Databases So Hard To Secure? by Sheeri Kritzer Cabral
• Best Practices for Securing MySQL 5.0 by Jimmy Guerrero, Senior Product Manager, MySQL AB
• 2007 MySQL User Conference And Expo Presentations and Videos

Installing MySQL

Many operating systems come with MySQL already installed. If MySQL is not installed, download it from the MySQL download page. In addition to the sources above, documentation on installation for particular operating systems can be found on the MySQL Documentation page. There are instruction for:

• Installing on Windows
• Installing from RPM Packages on Linux
• Installing on Mac OS X
• Installing on Solaris
• Installing on Netware
• Installing from tar.gz Packages on Other Unix-Like Systems
• Installation Using a Source Distribution

Once installed, there is much more configuration than can be adequately covered in a blog post. The below instructions are meant as a demonstration on what is involved in the installation of MySQL. Please refer to MySQL installation documentation, books, and other information source for full details particular to your setup.

Additional steps may be taken to better secure the database. For example, it may be desirable to chrooting the MySQL server. The instructions below do not include those steps. Please see Artur Maj excellent article for additional information. The decisions to setup such an environment depends greatly on how the database will be used. Defense in depth is a great strategy, but security cannot be implemented without understanding. One has to be careful not to add so many layers of security that implementation becomes impossible. Under some circumstances, chrooting the MySQL server is a valid strategy. That is not the case in all environments and uses.

The option for the zlib compression library will be used in this installation based on future requirements for the database. On most operating systems, zlib is installed under the /usr directory (/usr/lib, /usr/include). Make sure zlib is installed on your system.

If your get the error message “Cannot find libmysqlclient_r under /usr/local/mysql” it is because your client programs are using threads. You need to compile a thread-safe version of the MySQL client library using the –enable-thread-safe-client configure option. This creates a libmysqlclient_r library with which you should link your threaded applications. For additional information, see the MySQL documentation “Section 26.2.16. How to Make a Threaded Client.”

The MYSQL team compiles Mac OS X with the following configuration:

CC=gcc CFLAGS="-O3 -fno-omit-frame-pointer" CXX=gcc \
CXXFLAGS="-O3 -fno-omit-frame-pointer -felide-constructors \
    -fno-exceptions -fno-rtti" \
    ./configure --prefix=/usr/local/mysql \
    --with-extra-charsets=complex --enable-thread-safe-client \
    --enable-local-infile --disable-shared

This is close to what we will be using, with a few changes. The configuration option –enable-local-infile allows “LOAD DATA LOCAL” to be used. See MySQL documentation “5.3.4. Security Issues with LOAD DATA LOCAL” for reasons this may not be desirable. The -fno-omit-frame-pointer Indicates whether the compiler should use the frame pointer for IA32 (Intel Architecture, 32-bit). The option -felide-constructors tells the C++ compiler to use elide constructors when this plausible. Error detection is done through the -fno-rtti -fno-exceptions options. The –with-extra-charsets=complex adds code to all standard programs that enables them to handle latin1 and all multi-byte character sets within the binary. For our purpose, this is not needed. The –disable-shared option disables the use of shared libraries.

The below instructions are meant to show the basic steps in setting up a MySQL database. Additional steps may be required depending on your requirements. The additional sources provided in this post are meant to provide assistance in determining solutions for the requirements of your environment.

 root# cd /usr/local/src
 /usr/local/src root# groupadd mysql
 /usr/local/src root# useradd -g mysql mysql
 /usr/local/src root# wget \

http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-5.0.51a.tar.gz\

/from/http://mirror.services.wisc.edu/mysql/
 /usr/local/src root# /sbin/md5 mysql-5.0.51a.tar.gz
MD5 (mysql-5.0.51a.tar.gz) = a83dbdbb91267daf73d2297a9c283dd1
 /usr/local/src root# mkdir /usr/local/mysql-5.0.51a
 /usr/local/src root# ln -s /usr/local/mysql-5.0.51a /usr/local/mysql
 /usr/local/src root# tar xzf mysql-5.0.51a.tar.gz
 /usr/local/src root# cd mysql-5.0.51a
 /usr/local/src/mysql-5.0.51a root# CC=gcc \
      CFLAGS="-O3 -fno-omit-frame-pointer" \
      CXX=gcc CXXFLAGS="-O3 -fno-omit-frame-pointer \
       -felide-constructors -fno-exceptions -fno-rtti" \
       ./configure --prefix=/usr/local/mysql \
       --enable-assembler \
       --with-mysqld-ldflags=-all-static \
       --enable-thread-safe-client \
       --with-zlib-dir=/usr
 /usr/local/src/mysql-5.0.51a root# make
 /usr/local/src/mysql-5.0.51a root# make test
 /usr/local/src/mysql-5.0.51a root# make install
 /usr/local/src/mysql-5.0.51a root# scripts/mysql_install_db --user=mysql
 /usr/local/src/mysql-5.0.51a root# cd /usr/local/mysql
 /usr/local/mysql root# chown -R root .
 /usr/local/mysql root# chgrp -R mysql .
 /usr/local/mysql root# chown -R mysql var

At this point, you will want to add the mysql binaries to your PATH, start up the MySQL server, and run the mysql_secure_installation command.

 /usr/local/mysql root# export PATH="/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin:/usr/local/mysql/bin"
 /usr/local/mysql root# bin/mysqld_safe --user=mysql &
 /usr/local/mysql root# /usr/local/mysql/bin/mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current
password for the root user.  If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] Y
New password: SecretPassword
Re-enter new password: SecretPassword
Password updated successfully!
Reloading privilege tables..
 ... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] Y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] Y
 ... Success!

By default, MySQL comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] Y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] Y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!

 /usr/local/mysql root# mysql -u root -p

Please do not use SecretPassword as the root account password. That is used only to demonstrate a password is entered. If you ever need to grant full access to a particular database (say snort) to user (say snortadmin) do the following:

 /usr/local/src root# mysql -u root -p
 mysql> create database snort;
 mysql> GRANT ALL PRIVILEGES ON snort.* TO
    'snortadmin'@'localhost' IDENTIFIED BY 'newpasswd' WITH GRANT OPTION;

Now, shutdown the MySQL server, create a MySQL configuration file, and finally bring the server back up. Depending on your sites requirement, you may want to set a few security variables in the MySQL configuration file:

skip-networking
skip-show-database
secure-auth
safe-user-create
skip-automatic_sp_privileges
set-variable=local-infile=0

Generally, you want to build a server configuration file with only the commands required to run the server in the manner you desire. For simplicity, and to keep this post size from becoming too large, we are going to copy an existing MySQL configuration file from support-files to a default location of /etc/my.cnf. That file will be modified. The “skip-networking” line will limit access to the MySQL database to local communication only through the mysql.sock socket. The “skip-show-database” line will limit the SHOW DATABASES statement only to users who have the SHOW DATABASES privilege. The “secure-auth” line dsallow authentication by clients that attempt to use accounts that have old (pre-4.1) passwords. With the “safe-user-create” line a user cannot create new MySQL users by using the GRANT statement unless the user has the INSERT privilege for the mysql.user table or any column in the table. With the line “skip-automatic_sp_privileges” the server does not automatically add and drop the EXECUTE and ALTER ROUTINE privileges to the creator of a stored routine, if the user cannot already execute and alter or drop the routine.

There is an option to run MySQL with the –secure-file-priv=path option limits the effect of the LOAD_FILE() function and the LOAD DATA and SELECT … INTO OUTFILE statements to work only with files in the specified directory. You can also disable the use of LOAD DATA LOCAL INFILE command by adding the line “set-variable=local-infile=0.” MySQL clients and libraries in binary distributions are compiled with the –enable-local-infile option, to be compatible with MySQL 3.23.48 and before. When we configured from source, we did not include the –enable-local-infile option.

First, we should confirm that the MySQL server is running on port 3306. Then, we will modify the MySQL configuration file adding the lines discussed above, restart the MySQL server, and confirm the changes have been made.

 /usr/local/src root# lsof -i TCP:3306
COMMAND   PID   USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
mysqld  56676 _mysql   10u  IPv4 0x91abe64      0t0  TCP *:mysql (LISTEN)

 /usr/local/src root# /usr/local/mysql/bin/mysqladmin -u root -p shutdown
 /usr/local/src root# cd /usr/local/src/mysql-5.0.51a
 /usr/local/src/mysql-5.0.51a root# cp support-files/my-medium.cnf /etc/my.cnf
 /usr/local/src/mysql-5.0.51a root# chown root:sys /etc/my.cnf
 /usr/local/src/mysql-5.0.51a root# chmod 640 /etc/my.cnf
 /usr/local/src/mysql-5.0.51a root# vi  /etc/my.cnf 

Add the lines above under the [mysqld] section.
Comment out the "port = 3306" lines.

 /usr/local/src/mysql-5.0.51a root# cd /usr/local/mysql
 /usr/local/mysql root# bin/mysqld_safe --user=mysql &
 /usr/local/mysql root# lsof -i TCP:3306
 /usr/local/mysql root# ls -la /tmp/mysql.sock
 /usr/local/mysql root# mysql -u root -p

The final command “lsof -i TCP:3306″ should confirm that the “skip-networking” line in /etc/my.cnf stopped MySQL from listening on port 3306. The command “/tmp/mysql.sock” will confirm the creation of the file for local communication. If you created the user “snortadmin” you can confirm the “skip-show-database” command and that we cannot load a local file into the database.

 root# mysql -u snortadmin -p
 mysql> show databases;
ERROR 1227 (42000): Access denied; you need the SHOW DATABASES privilege for this operation
 mysql> use snort;
 mysql> create table test (fulltxt TEXT);
 mysql> LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE test;
ERROR 1148 (42000): The used command is not allowed with this MySQL version

Perl and MySQL: DBD::mysql and DBI

Many operating systems will have DBD::mysql installed. The binary distribution for the operating system and version of the MySQL can be downloaded and installed. The following instruction on the configuration, compilation, and installation of the source is provided as one example of how the Perl modules DBD::mysql and DBI can be installed. When upgrading the MySQL database, make sure to reinstall DBD::mysql.

 root# cd /usr/local/src
 /usr/local/src root# wget http://search.cpan.org/CPAN/\
 authors/id/C/CA/CAPTTOFU/DBD-mysql-4.006.tar.gz
 /usr/local/src root# wget http://search.cpan.org/CPAN/\
 authors/id/T/TI/TIMB/DBI-1.604.tar.gz
 /usr/local/src root# tar xzf DBD-mysql-4.006.tar.gz
 /usr/local/src root# tar xzf DBI-1.604.tar.gz
 /usr/local/src root# cd DBI-1.604
 /usr/local/src/DBI-1.604 root# perl Makefile.PL
 /usr/local/src/DBI-1.604 root# make
 /usr/local/src/DBI-1.604 root# make test
 /usr/local/src/DBI-1.604 root# make install
 /usr/local/src/DBI-1.604 root# cd ../DBD-mysql-4.006
 /usr/local/src/DBD-mysql-4.006 root# perl Makefile.PL
 /usr/local/src/DBD-mysql-4.006 root# make
 /usr/local/src/DBD-mysql-4.006 root# make test
 /usr/local/src/DBD-mysql-4.006 root# make install

Additional Sources

Below are a few sources of information with continously changing content.

• Developer Articles
• O’Reilly ONLamp
• O’Reilly Databases Site
• Database Journal
• Dev Shed
• SitePoint

Conclusions

There are many more tools and much more information available on MySQL. The above sources are meant only as a starting point. As Confucius once wrote, “a journey of a thousand miles begins with a single step.” Or if you prefer Jules Bass, “Put one foot in front of the other and soon you’ll be walking cross the floor.” You do not need to have watched each video, gone through each presentation, read every document, nor be familiar with the content on every blog concerning MySQL in order to begin working with MySQL. One has to start somewhere. The best piece of advice is simply take one step at a time and start now. In the immortal words of Meredith from Grey’s Anatomy, “The early bird catches the worm; a stitch in time saves nine. He who hesitates is lost. We can’t pretend we haven’t been told. We’ve all heard the proverbs, heard the philosophers, heard our grandparents warning us about wasted time, heard the damn poets urging us to ‘seize the day’. Still sometimes we have to see for ourselves. We have to make our own mistakes. We have to learn our own lessons. We have to sweep today’s possibility under tomorrow’s rug until we can’t anymore, until we finally understand for ourselves like Benjamin Franklin meant. That knowing is better than wondering; that waking is better than sleeping. And that even the biggest failure, even the worst most intractable mistake beats the hell out of never trying.”

Unfortunately, when it comes to installing software, secure design is often the last consideration. I know a gentleman who frequently will state, “I just have to get this done.” When it comes to software installation, he will find packages that will take care of the installation of the software for him. Unfortunately, frequently those packages are design to cause the least problems installing on as many varied systems as possible. Now consider what an importance role that the database plays. Should you not invest some time in configuring it correctly and learning how to properly manage the database?

Like my previous posting, “Securing Apache: References,” I wanted to start off by providing references. My focus is on the security aspects of setting up MySQL. This posting will be followed by a hands on step-by-step posting. The below references will provide a great deal more information than I could ever provide in blog postings. I am only trying to point the way to greater understanding.

Documents and Articles

Podcasts, blogs, and forums are great ways to get specific information. A document, such as a reference manual, will provide a better breadth of coverage. For this reason, when starting any project, I like to start out with documents, books, and articles. Articles are good in that the tend to be somewhat authoritative, and lead to additional articles within the magazine/site.

• MySQL 5.1 Reference Manual – the best place to start is the reference manual. Generally, I prefer printed version verses accessing material online. Since the reference manual is 2372 pages, I would suggest keeping to the electronic version. In relation to security, please pay particular attention to:
  • 2.9. MySQL Installation Using a Source Distribution.
  • 5.3. General Security Issues.
  • 5.4. The MySQL Access Privilege System.
  • 5.5. MySQL User Account Management.
• Center for Internet Security Benchmark for MySQL Versions 4.1, 5.0, and 5.1 Community Editions by Mike Eddington, Leviathan Security Group.
• MySQL: The Complete Reference, chapter 14: Security, Access Control, and Privileges by Vikram Vaswani.
• 10 steps to fortify the security of your MySQL installation.
• Securing MySQL: step-by-step by Artur Maj.
• Secure MySQL Database Design by Kristy Westphal.
• Security and the real world by Kristian Köhntopp.
• How MySQL Treats Security Vulnerabilities by Kaj Arno.
• Getting started with MySQL Proxy by Giuseppe Maxia.

Web Seminars and Podcasts

The MySQL site does offer on-demand web seminars. Of particular interest is “Best Practices for Securing MySQL 5.0” by Jimmy Guerrero, Senior Product Manager, MySQL AB. Sheeri Kritzer Cabral (blog site listed below) made available her presentation to the Boston MySQL user group, titled “MySQL Security“. Sheeri has also made available her podcast, “Basic MySQL Security.” The OurSQL MySQL Database Podcast is a very interesting podcast. It is a great way to keep informed on MySQL. Sheeri will be presenting at the MySQL Conference and Expo “Database Security Using White-Hat Google Hacking.” It should be a great talk.

Forums and Blogs

While most of these forums and blogs might not focus on security, blogs can having postings on a variety of topics. There are many more great MySQL blogs. The list below were chosen because they had some security posts and/or the blogger had written articles, did presentations, or in some way indicated an awareness of security.

• MySQL Forums – this forum is off the MySQL site and there are many forums of special interest, including a Security Forum. If you run into problems with the installation, there is an Install Forum.
• Planet MySQL – offers blogs, news, and opinions on MySQL. If you try to access blogs.mysql.com, you will be redirected to planetmysql.org.
• Sheeri by Sheeri Kritzer Cabral, MySQL and Oracle DBA for The Pythian Group. Also see her podcast, OurSQL MySQL Database Podcast.
• Roland Bouman’s blog, by Roland Bouman, Training Course Curriculum Developer for MySQL AB and contributor to O’Reilly Databases site.
• The Data Charmer by Giuseppe Maxia, Database Analyst and Designer. Contributor to O’Reilly Databases site (and a whole lot more).
• MikeKruckenbery by Mike Kruckenberg, coauthor of Pro MySQL.
• MySQL-dump.
• MyQSL QA by Jonathan Miller, Senior Lead Quality Assurance Developer.
• MySQL Musings by Mats Kindahl, lead developer at MySQL with replication as main focus.
• Senior MySQL DBA Blog by Farhan Mashraqi.
• MySQL Performance Blog by Peter Zaitsev.

Sites

A few sites with articles on MySQL that might be of interest. Their focus is not on security or configuration, but the sites are good sources for MySQL information:

• O’Reilly ONLamp.
• O’Reilly Databases Site.
• Database Journal.
• Dev Shed.
• SitePoint.

Wrap Up

The above sources provide not only a good starting point for MySQL secure installation, but a library for help with MySQL operations.

• Apache Security by Ivan Ristic
• Securing Apache 2: Step-by-Step by Ivan Ristic
• Apache HTTP Server Version 2.2: Compiling and Installing
• Apache HTTP Server Version 2.2: Security Tips
• Center for Internet Security Benchmarks for Apache Web Server v2.1 by Ryan Barnett
• Securing Apache Step by Step by Ryan C. Barnett
• ModSecurity Reference Manual
• NIST SP 800-44 v2: Guidelines on Securing Public Web Server by Miles Tracy, Wayne Jansen, Karen Scarfone, and Theodore Winograd
• NIST SP 800-95: Guide to Secure Web Services by Anoop Singhal, Theodore Winograd, and Karen Scarfone
• OWASP WeBekci Project, a web based ModSecurity 2.x management tool.
• REMO, a project to build a graphical rule editor for ModSecurity with a positive/whitelist approach.
• Got Root, the Internets largest source of intrusion prevention signatures and comment spam blacklists for webservers, over 13,000 signatures.

There are two freely available tools for helping with the security of your Apache configuration:

• The CIS Scoring Tool for Apache
• Apache httpd Tools

A coworker was complaining that the majority of information he was finding in blogs was junk. I asked him how was he finding his information. He was doing a regular Google search; not even a Google Blog Search. I understood his pain. George Siemens makes a very interesting distinction between collective intelligence and connective intelligence. Collective intelligence is “a form of intelligence that emerges from the collaboration and competition of many individuals“. George defines connective intelligence as “individual creation of information, ideas, and concepts which are then shared with others, connected, and re-created and extended based on the interaction.”

George goes on to state, “simply, collective means blending together. Connective means connecting while retaining the original (though others may build on it in their own spaces).” Put another way, “the collective presents a melting pot of ideas. The connective represents a mosaic of ideas.” People are surprised when I tell them that I do not read blogs. I read Ivan Ristic, Jeremiah Grossman, Gunnar Peterson, Ryan Barnett, Dafydd Stuttard, etc. My coworker’s problem is that he’s drowning in the melting pot of information provided by collective intelligence. When I read an author I like or come across software I find really useful, I look to see if the authors have a blog. I will then subscribe to their RSS feed, allowing me to make use of connective intelligence.

A few blogs of interest for web application security:

• Ivan Ristic, author of “Apache Security” and principal author of ModSecurity, the open source web application firewall.
• Jeremiah Grossman, author of the CIS Scoring Tool for Apache and founder and Chief Technology Officer of WhiteHat Security.
• Ryan Barnett, author of “Preventing Web Attacks With Apache“, and Director of Application Security Training for Breach Security.
• Dafydd “PortSwigger” Stuttard, co-authof of “The Web Application Hacker’s Handbook” and Principal Security Consultant at NGS Software.
• Gunnar Peterson, Software Security Architect and CTO at Arctec Group.
• Robert “RSnake” Hansen, CEO SecTheory.
• Shreeraj Shah, founder of Blueinfy, a company that provides application security services.
• Billy Hoffman, co-author of “Ajax Security” and lead research engineer with Atlanta-based SPI Dynamics Inc.
• Bryan Sullivan, co-author of “Ajax Security” and developer and security researcher at SPI Dynamics, Microsoft.
• Chris Shiflett, author and speaker who leads the web application security practice at OmniTI.
• Ory Segal, Security Products Architect, Rational, Application Security (Watchfire), IBM.
• Anurag Agarwal, is a senior application security consultant providing expertise on secure development lifecycle and vulnerability assessment. He also manages www.attacklabs.com and www.myappsecurity.com.

I wanted to mention that I started off with the names of several web application professionals. I wanted to include links to their names in this post. As I searched out their names to add a little background blurb, I kept coming across postings from Anurag Agarwal. He has done a great job profiling many of the leaders in web application security. The above list is missing many people and that is entirely my fault. As I stated, the list is of people that I am familiar with and is not meant to be a complete list of web application security professionals.

With these resources at our disposal, we are well positioned to start our quest to secure Apache.