Reputation: 85
access amazon mysql database using mysql database details
our mysql database is hosted on amazon aws, and someone steals our database details via our php connection files and now he has details like dbname, password, dbhost etc. can he take our mysql database backups, or can he delete our mysql tables?
If he can then how can i prevent this. Can you tell me one more thing that how can he access my database using only our database details.
I have already blocked the unauthenticated ip login. So plz help us to prevent our database on amazon.
thanks.
Upvotes: 0
Views: 42
Answers (2)
Reputation: 12592
You really should change the password of the MySQL user. That is the proper protocol when anyone gains unwanted access to your sensitive credentials. And yes, if he had that information, he would be able to anything that user can do, like delete tables, etc.
Upvotes: 0
Reputation: 179154
I have already blocked the unauthenticated ip login.
I'm not sure what you mean by that, but your database should never be accessible to any IP addresses that are not known and trusted. You shouldn't be allowing access to your database from the Internet. The first layer of defense is the security group linked to the database.
Rarely is there any justification for your database to even have a public IP address.
Further, your application should be using a MySQL account that is consistent with the principle of least privilege.
The permissions on this account should be such that the application can only do the things it needs to do, and only to the objects where it needs to do them, and no more.
Your application should never use the master user credentials, or any accounts with any kind of elevated privileges.
If the credentials are compromised, there is then less privilege for the would-be attacker to exploit.
An obvious example would be the DROP privilege, since the application probably should not be dropping tables. Less obvious might be DELETE, since deletions of rows are rare in many relational databases -- for many tables, your application, working correctly, would never need to delete a row.
MySQL allows various privileges for each account to be set at the server, database, table, column, and object level, depending on the privilege.
https://dev.mysql.com/doc/refman/5.6/en/privileges-provided.html
The MySQL privilege system also can tie accounts to source IP addresses, so even if access to the server is obtained, through an inappropriately-open firewall configuration, the credentials will not work.
Properly preventing access from unauthorized IP addresses is critical, but your database is still only as secure as your application server, and the code running there, since a compromised application server could still be used as an attack vector to do anything your application can do. A common vulnerability, of course, is SQL injection, a class of vulnerabilities of which an embarrassingly large number of programmers seem to manage not to grasp the seriousness. Or, they are aware but either lazy or in denial that it can happen to them.
In possession of your credentials without direct access to the application server or database itself, an attacker might also find a way to use the services of a confused deputy, such as another machine in your environment with an unrelated (or indirectly-related) vulnerability, that allows some kind of "leapfrog" access to the app server or database.
Upvotes: 1
Related Questions
- Gaining access to Amazon FBA database
- How to connect to website's DB from xampp
- PHP connecting to Amazon EC2
- how to connect to database on another server
- Connect to a MySQL server on another server
- How do I connect MySQL server
- Connect to MySQL on Amazon AWS RDS
- Connecting to a MySQL db created in an Ubuntu AWS instance
- Connect to Remote AWS MySQL from GoDaddy via PHP
- Connecting From PHP Server to MySQL Server on Amazon AWS