In order to log in to a MySQL server, you can run mysql command along with your login credentials and server’s IP address as arguments. For example:
$ mysql -u $MYSQL_ROOT -p $MYSQL_PASS -h 192.168.10.1
However, besides the inconvenience of typing extra arguments, using plain-text login credentials in a command line like above is really not a secure way to access a MySQL server. In a multi-user Linux environment, what you type in command line can easily be revealed to others who happen to run ps on the same host at the same time.
MySQL offers a way for you to log in to MySQL server without password, by using an external MySQL configuration file. In Linux, there are two different kinds of MySQL configuration files: (1) /etc/my.cnf and (2) ~/.my.conf. While any system-wide MySQL configuration is defined in /etc/my.cnf, any user-specific MySQL configuration is stored in ~/.my.cnf. You can leverage ~/.my.cnf, to define your MySQL login credential in the file.
Make sure to have the configuration file readable to you only.
$ chmod 0600 ~/.my.cnf
Once ~/.my.cnf is created, simply typing mysql command will let you log in to 192.168.10.1 as alice, and you no longer need to provide login password separately.
ProxySQL is an open-source
MySQL proxy server, meaning it serves as an intermediary between a MySQL
server and the applications that access its databases. ProxySQL can
improve performance by distributing traffic among a pool of multiple
database servers and also improve availability by automatically failing
over to a standby if one or more of the database servers fail.
In this guide, you will set up ProxySQL as a load balancer for multiple MySQL servers with automatic failover. As an example, this
tutorial uses a multi-primary replicated cluster of three MySQL
servers, but you can use a similar approach with other cluster
configurations as well.
Three MySQL servers configured to form a multi-primary replication group. You can set this up by following the How To Configure MySQL Group Replication on Ubuntu 16.04 tutorial. In the Choosing Single Primary or Multi-Primary section, follow the instructions for a multi-primary replication group.
psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic. A typical deployment is to run psad on the iptables firewall where it has the fastest access to log data.
psad incorporates many signatures from the Snort intrusion detection system to detect probes for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (FIN, NULL, XMAS) which are easily leveraged against a machine via nmap. When combined with fwsnort and the Netfilter string match extension, psad is capable of detecting many attacks described in the Snort rule set that involve application layer data. In addition, psad makes use of various packet header fields associated with TCP SYN packets to passively fingerprint remote operating systems (in a manner similar to p0f) from which scans originate. Further, psad can be integrated with Logstash, and also offers support for UFW firewalls[1]. For more information, see the complete list of features offered by psad.
Beginning with MySQL 5.1.18, it is possible to use MySQL Cluster in multi-master replication, including circular replication between a number of MySQL Clusters.
Prior to MySQL 5.1.18, multi-master replication including circular replication was not supported with MySQL Cluster replication. This was because log events created in a particular MySQL Cluster were wrongly tagged with the server ID of the master rather than the server ID of the originating server.
Circular replication example. In the next few paragraphs we consider the example of a replication setup involving three MySQL Clusters numbered 1, 2, and 3, in which Cluster 1 acts as the replication master for Cluster 2, Cluster 2 acts as the master for Cluster 3, and Cluster 3 acts as the master for Cluster 1. Each cluster has two SQL nodes, with SQL nodes A and B belonging to Cluster 1, SQL nodes C and D belonging to Cluster 2, and SQL nodes E and F belonging to Cluster 3.
Circular replication using these clusters is supported as long as the following conditions are met:
The SQL nodes on all masters and slaves are the same
All SQL nodes acting as replication masters and slaves are started using the --log-slave-updates option
Recently, the anti-spam organization Spamhaus has come under yet another distributed denial-of-service attack. With some help from our good friends at myNetWatchman we were able to obtain a sample of the malware used in the attack. This one is particularly nasty, starting up 1500 threads to send randomized HTTP requests to Spamhaus’ webserver in a loop. This attack tool doesn’t have a command-and-control mechanism, so it was likely force-installed on all the infected systems of an existing botnet.
This kind of attack is particularly troublesome to deal with. While simplistic packet-based attacks can be more easily mitigated upstream, with an HTTP-based attack it is often difficult to distinguish attack traffic from legitimate HTTP requests. And because the attack consumes resources from the webserver, not just the system TCP/IP stack, it can quickly bring even a well-tuned webserver to its knees unless the target has better-than-average resources at its disposal to help weather the storm (like Spamhaus does).
Fortunately, most HTTP-based DoS attacks we have seen have a particular weakness – they are vulnerable to a technique known as « tarpitting ». This idea was first proposed by Tom Liston many years ago when the first scanning worms hit the Internet, and was implemented in his program LaBrea (which he no longer offers for download, due to legal concerns – however, the source code can still be found elsewhere and should work on Linux or BSD-based operating systems). The quickest way to implement tarpitting (if your webserver runs on Linux) is in the Linux netfilter source code. If the tarpit module is compiled for your Linux kernel, the operation becomes as simple as « iptables -A INPUT -s x.x.x.x -p tcp -j TARPIT« .
Tarpitting works by taking advantage of TCP/IP’s idea of window size and state. In a tarpitted session, we respond to the connection initiation as normal, but we immediately set our TCP window size to just a few bytes in size. By design, the connecting system’s TCP/IP stack must not send any more data than will fit in our TCP window before waiting for us to ACK the packets sent. This is to allow connections to deal with packet loss that might occur in a normal session. If the sending system doesn’t get an ACK to a packet sent, it will resend the packet at increasingly longer intervals. In our tarpitted session, we simply don’t ack any of the post-handshake packets at all, forcing the remote TCP/IP stack to keep trying to send us those same few bytes, but waiting longer each time. With this, bandwidth usage falls off quickly to almost nothing.
It might seem reasonable to simply use iptables -j DROP to not respond to connections at all – this will certainly prevent the webserver from seeing the connection, but because the connection may have a timeout set, it is likely we’ll keep seeing connection attempts at a fairly regular rate. Essentially a DROP rule turns our HTTP flood into a SYN flood.
Below is a chart made by running the Spamhaus DDoS malware on a single host in a sandnet, and comparing the bandwidth usage of each iptables mitigation technique with no mitigation. Here we extrapolated the bandwidth usage of the full non-mitigated attack (the blue line in the chart) from just the first 30 seconds of the attack, rather than let it fully DDoS the server the entire two hours. Under load, our untuned Apache server probably would have slowed down, forcing the attack bandwidth to decrease with it as it became unresponsive. In this simulation we are assuming the server can withstand a single attacker with no slowdown.
We see that although with tarpitting, there are momentary spikes as the sessions finally time out and try again, overall the average bandwidth usage is substantially lower with tarpitting as opposed to simply dropping the attacker’s packets.
There seems to be an added side-effect to mitigation by tarpit. When the attacked host mitigates with an iptables DROP (no response), the attacker’s CPU load is fairly minimal and the system is responsive. However, as demonstated by the graphic below, under tarpitting the CPU load in our test system quickly rose to 100% as the attacking system’s kernel tried to maintain a large number of open connections in a retry state.
In the case of our test system, the user interface became nearly unresponsive. Of course, this may depend on the overal system CPU speed and RAM (our test was done in a VMware environment which also may be a factor), but if the system becomes unacceptibly slow, it serves as an impetus for the unknowing owner of the attacking system to have the computer cleaned of its botnet infection.
Unfortunately, the TARPIT iptables module is not part of every Linux distribution. It is possible to obtain it by getting the netfilter Patch-o-Matic-NG source and compiling it for your kernel (don’t forget the iptables source must also be patched to support the TARPIT option).
At some point, the scalability of having thousands of iptables rules may come into play. At the University of Florida, Chuck Logan and Jordan Wiens were able to successfully mitigate a DDoS attack from the Netsky virus by writing customized software to detect the attacking hosts and create intelligent chains of iptables rules that were more scalable. Details and source code can be found here.
No matter how you implement it, tarpitting isn’t going to completely stop an attack – it can only slow it down. However, it could be an effective stop-gap measure until upstream providers can effectively null-route an attack on your website, or until the attack stops on its own.
Beginning with MySQL 5.1.18, it is possible to use MySQL Cluster in multi-master replication, including circular replication between a number of MySQL Clusters.
