Category: or Free Horse?

Fully disabling remote access to root on MariaDB

An OpenVAS vulnerability scan helped me recently identify a DB that had a 9.0 rating and was allowing remote access to the root account. Thankfully the DB was not accessible to the Internet, but the ease of lateral movement inside a server network couldn’t be allowed. So I went about responsibly mitigating this vulnerability, which I did not expect to have taken as long as it did. Turning off remote access should be easy, even thought I’m not a DBA, I felt confident this would not be that difficult. I read the free manual and didn’t not see any major challenges.

 

First off, I’m not a DBA, second this was the first install of mariaDB that I knowing was getting involved with. I don’t think the differences between MySQL are that significant, but I had to keep it in mind.

First step was to change the root password. At least make sure it wasn’t using the default password of password to log in. Seriously. I don’t know if this is set this way by mariaDB during installation, or was set by the application using the DB.

Changing the root password was insufficient. The scan still returned the vulnerability existed. Turns out I had only changed it for the localhost version of root. I was interested to learn and understand that different DB users can share the same login name, so long as their hosts are different.

So then I changed the password for 127.0.0.1, and and ::1 to account for the IPV6 change. This was still insufficient to stop the vulnerability from showing up.

I modified the my.cnf and still had no success.

I had to manually verify this existed, something I should have done earlier. It’s always possible for a vulnerability scan to show a false-positive, and every finding should be checked out before reporting it. All the verification necessary came from a different host with a simple command:

mysql -u root -h 10.20.30.xx -p

And I had root access to the DB application running on this host. And of course with MySQL access and root DB permissions, it wouldn’t be difficult or long for someone to take control of that server. This was getting frustrating. If the hashes in the mysql.user table were clearly showing that the password was changed, then what was I missing?

At this time I need to remember that I am not a DBA, and I had no clue that there was a “ghost” user in the system. I say ghost because the username actually had no value, but they could access the system from any IP address.

Thankfully I found this post https://dba.stackexchange.com/questions/4614/cannot-drop-anonymous-user-from-mysql-user. Suddenly I realized that this wasn’t as much of an issue with being able to log in as root, rather it was blocking anonymous access to the DB. Semantics? Part of me is curious if I could have logged in with a username of PapaJohn and had it work.

Quickly removing that user from the mysql.user table was all it took to mitigate that vulnerability.

DELETE FROM mysql.user WHERE user='' AND host='%';
FLUSH PRIVILEGES;

 

I did learn today that anonymous access exists on a default MySQL or MariaDB installation. I learned that there is a test DB created by default that needs removing also. An excellent writeup on how to clean a default installation can be found here: https://www.loginradius.com/blog/engineering/is-your-database-secured-think-again/.

I am grateful that this is solved, and I’m thankful I don’t have to scold the application developer for having done this. I am troubled however at a new installation being left open to the wild by default. This is a solid reminder that the need for highly trained engineers is greater than ever, for this inexcusable default configuration for MySQL will not be caught in many of the SMBs that I have traditionally supported. Only due to a vulnerability scan did this even get flagged for the customer, and only through persistence did it get mitigated. A highly trained DBA should have known this in-advance, and known to delete these items immediately after a fresh install. Sadly I think the MySQL and MariaDB communities are doing a disservice to SMBs that lack dedicated DBAs and trust in the communities to provide software that is secure enough to use.

 

So for anyone that needs to search why they can log into a MySQL DB server remotely using the root account and the default password, consider that it may have nothing to do with root at all. Disable anonymous access to the DB, and then worry about changing the password for root.

Catastrophe through impatience

I’ve tried really hard to learn over the years to stop myself from making mistakes due to impatience. The challenge is real, and it still continues to this day. I may average an event like this at least once a year, if not every 6-months or so.

A few days ago I desperately needed to access an old external HDD that required a power brick that I didn’t have any longer. I looked around but couldn’t find one, so I became frustrated. I figured that if I were to damage the drive, it could be in my best interest since that would prevent me from wasting more time should I actually get access. I would potentially be searching for a 1GB needle in a 3TB haystack using something as arduous as Testdisk. Maybe if the drive malfunctioned, I would save myself time?

It probably goes without saying that:

  1. I did something that I shouldn’t have done.
  2. I did something that I knew ran the risk of destroying the device.
  3. I did it anyways.
  4. I let all the smoke out of my HDD.

 

As exciting and utterly predictable as the outcome was, I was surprisingly undeterred. It turns out I could have bought the power supply for less than $5 on Amazon and waited a few more days.

Also undeterred, I decided to poke at the drive to find out what really went wrong. If nothing else I knew I had to dissect the drive to destroy the platters and claim the magnets. It was very exciting when I spotted something on the board that clearly cooked. I didn’t recognize what that part did, after all I’m not an electrical engineer, or even a skilled hobbyist. So I did what any self-taught fool would, and I searched Google for the part number on the device.

It turns out I am not the only person to make this stupid mistake with an external HDD. That’s cool.

 

And it turns out that the piece is a Transient Voltage Suppressor (TVS) diode. A very nice to have, but actually unnecessary piece to the HDD. The purpose of the TVS is to protect the remaining components of the system from a sustained over-voltage event. It may be oversimplification, but the TVS acts a lot like the old-school fuses that would blow in my mom’s ’74 Ford. The fix to my problem? Just remove the TVS! Removing the TVS permanently is not recommended, since the HDD now has no protection against a sustained over-voltage event. I’m grateful I have a fairly robust UPS that has a built-in line conditioner and should be cleaning up the voltage before it gets to the HDD. To be clear I will fix this, but not until I have found that file I am missing.

To make a long story short, I have caused myself significantly more work than I would have had I been patient and just bought the $5 adapter and waited. I know get the great opportunity to buy an $0.80 part to fix my old HDD. Why would I do this? A 3TB HDD is still respectable and is better fixed than discarded.

This post represents the first time I’m going to try and catalog my mistakes that are made through impatience. Since the time before this was when I melted a server, and the time before that was a catastrophic failure of a software component, I’m very curious what my next iteration will be. I’m also keeping my fingers crossed it will cause less work, also cost $0.80, and be entirely preventable if I stop and remember that it will take more time to fix than simply being patient and waiting for the mail.

 

The unbelievable difficulty in watching Bluray on a computer

For a very long time I didn’t care much about the quality of my movies. DVD has generally been fine. This all went downhill –albeit slowly at first– when I got a really nice TV. The TV was the free one my friends gave me from the loading dock at their apartment. It was broken, but a DC capacitor switch out fixed that. It was HD, and I liked it.

Skip a few chapters and we arrive at my current state.

I have attempted several paths to watch my brand new Ultimate Matrix on Bluray collection. Yes… the Matrix. Matrix Resurrection is coming soon and I felt that was worth watching everything again, afterall the Matrix series was a very significant part of my youth. As nice of an idea as this was, I sincerely regret my decision to not just buy more bits from Amazon.

I have tried to watch this on:

  • 2016 macbook pro
  • Win10 VM in VMware Fusion
  • Linux Mint
  • Win10 bootcamp on the macbook

Please note I have not actually tried this on a true Windows PC, because oddly enough I don’t really have one. Time changes everything.

In short I have learned the following:

Essentially I get the frustration tractor owners feel when they can’t fix their own equipment. I have more appreciation now for the FTC Ruling for Right-to-Repair. The FTC Votes Unanimously to Enforce Right to Repair | WIRED

 

 

I burned $40 on eBay to buy these disks. I burned 4 hours of time trying to get this to work. I have too many hobbies, and can’t pick this one up. I’m going to buy the trilogy on Amazon and try to not think about making Jeff Bezos any richer.