How to Prevent MySQL from data Spoofing?

This article explains how to encrypt the clear text mysql data using stunnel. Definitely essential for those who have security as their top priority.Although this tool can be used to encrypt the data for other services like imap and pop, this article of mine basically explains the use of stunnel for mysql. Once learned , it can be easily used for other services.

Why Stunnel?

To have the answer of this , i will show you a practical scenario to explain the essentiality of stunnel to encrypt mysql data.I assume that the readers do have the basic knowledge of Mysql.
Let there be two hosts—Host A and Host B

Host A: 192.168.1.1
Host B: 192.168.1.2

Host A has mysql server running on its default port 3306
Host B has mysql server running on port 3307

Now to allow host B to connect on host A mysql port 3306, we do have to allow permissions for host B on Host A in its mysql database.Run the following command on mysql prompt of host A to grant permissions to host B.

mysql>grant all on *.* to ‘hostB’@’192.168.1.2′ identified by ‘hostB’;

Once done ,connect host B on host A mysql port 3306 by running the following command.

SEC@hostB# mysql -u hostB -h 192.168.1.1 -phostB

If the mysql connection was successful you will get the mysql prompt.Now before running the commands on this mysql prompt,open separate terminal on hostB and use ettercap over there, a tool used to sniff the data.Run the following command over there:

SEC@hostB# ettercap -T /192.168.1.1/3306

This would sniff the data coming and going through port 3306 on hostA.

Now run the command on your mysql prompt in the previous terminal and observer the output of ettercap.Surprised and shocked.You would be able to see clearly the commands being executed on the previous terminal.That’s where the functionality of stunnel comes in.If stunnel would have been in use, then ettercap would have sniff the encrypted data which is of no use.Able to see your clear data, an hacker sniffing the data through your network can easily have the database,rows,columns name and many more things.

How to use stunnel?

Download the latest stunnel package from stunnel.org and untar it.Just run the following commands.

./configure
make
make install

this willl install stunnel.For more options use
./configure –help

For e.g ./configure –prefix=/home/stunnel

will install stunnel in /home/stunnel.

To make use of stunnel we should have ssl certificates.For testing purposes let the default certificate be created during installation.You can purchase ssl certificate if you need to implement for your organization.With the default installation, you would have got a default stunnel configuration file to be used.I made some changes to it and configured it to be used for mysql.Here’s the configuration file that i used.

stunnel sample configuration file
—————————————–

# Sample stunnel configuration file for securing MySQL (server side)

# Provide the full path to your certificate-key pair file
cert = /etc/stunnel/stunnel.pem

#create the PID file

pid = /tmp/stunnel.pid

# change the UID and GID of the process for security reasons
setuid = nobody
setgid = nobody

# Configure secured MySQL server

[mysqls]
accept = 3307
connect = 3306
———————————————————–

That was a simple stunnel configuration file to get the basic functionality of stunnel.As per the configuration file, i do have my certificate-key pair in the specified path and with the stunnel process being run as nobody user and group.The main thing to understand is the mysqls part.This part means that all the mysql connections from outside would be accepted on port 3307 and then decrypted and sent to local mysql service over port 3306.Simmilarly the data to be sent outside would be transmitted from port 3306 to 3307 for encryption and then sent out.

Explanation through a practical scenario:
—————————————————

As in the above example, let us say we have the same two hosts with the same ips as above.Let host A be the mysql server and host B the mysql client.We installed stunnel on both the servers and the clients.Now i used the following server and client configuration files.

Server side stunnel configuration file:(serverside.conf)
———————————————————————–

# Sample stunnel configuration file for securing MySQL (server side)

# Provide the full path to your certificate-key pair file
cert = /etc/stunnel/stunnel.pem

# create the PID file

pid = /tmp/stunnel.pid

# change the UID and GID of the process for security reasons
setuid = nobody
setgid = nobody

# Configure our secured MySQL server

[mysqls]
accept = 3307
connect = 3306

———————————————————————–

Client side configuration file:(clientside.conf)

————————————————————————

# Sample stunnel configuration file for securing MySQL (client side)

# Provide the full path to your certificate-key pair file
cert = /usr/local/etc/stunnel/stunnel.pem

# create the PID file

pid = /stunnel.pid

# change the UID and GID of the process for security reasons
setuid = nobody
setgid = nobody

# enable client mode
client = yes

# Configure our secured MySQL client

[mysqls]
accept = 3306
connect = 192.168.1.1:3307

———————————————————————————

In this case the local stunnel daemon running on the client side(host B) would listen for connections on port 3306 and forward the request to port 3307 on the server(host A) where it would be decrypted and sent to its local port 3306, the same encrypted channel opted for the reverse path.

Now with the server and client configuration files ready, time to run the stunnel daemon.Simply run the following commands on these two hosts.

On host A : stunnel serverside.conf
On host B : stunnel clientside.conf

The two machines should have the stunnel daemons running.Now access the host A mysql server from host B.For this get connected to your stunnel daemon running on port 3306 on hostB by issuing the following command:

SEC@hostB# mysql -h 127.0.0.1 -u hostB -phostB

This should give you the mysql prompt.Run the commands and run ettercap on some other terminal sniffing on hostA port 3307.Simply you have your stunnel working, if you do get encrypted data in ettercap and are not able to view the mysql commands being run on mysql prompt on host B.

Simply the same for other services like imap and pop.In case any queries/suggestions, just post a comment.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

one × four =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>