Posted on

MySQL and Security

I’m sure you’ve seen the alert on (dev.)mysql.com or elsewhere, there’s a bot/worm on the loose that targets unsecured MySQL servers on Windows platforms.
See also http://forums.mysql.com/read.php?3,13227,13227 for more details.

Regardless of whether you can be affected by this particular worm, it is a good opportunity to check out your own setup… is it properly secured? Here are a few hints:

  • Firewall… are you allowing external access to port 3306? Do you need outside access into your MySQL Server? If not, block this port.
  • If you do not need networked MySQL access from other machines (LAN or Internet), add the option “skip-networking” to your MySQL configuration (generally /etc/my.cnf, the [mysqld] section).
  • On Unix systems (including Linux and Mac OS X), run the mysql_secure_installation script. Use “locate” to find it on your system. It will guide you through a few simple steps that will make the default user setup secure (remove remote root, set up local root pwd, remote the anonymous user that can only access the test db).
  • From the manual angle, don’t allow remote root access:
    DELETE FROM mysql.user WHERE user=’root’ AND host=’%’;
    FLUSH PRIVILEGES;
    See Connecting the MySQL GUI Tools to a Remote Server through a Firewall by Mike Hillyer, if you need to have remote access. Safely.

  • You could rename your MySQL root user to something else. Yes this is obscurity but it doesn’t hurt. A malicious user has no way of figuring out what the name might be.
  • When choosing a password, make it long enough, use numeric and special symbols as well as alpha characters, and pick something non-obvious. Attacks using a word dictionary are so easy!

MySQL from its end will of course also seek to make future versions even more secure by default. Upto a point, it’s a tradeoff with easy-of-first-use. If you have any feedback or suggestions on this topic, please don’t hesitate to write to me! Either comment here, or email to my first name at mysql dot com.
Thanks!

Posted on
Posted on

OSCON 2005 call for papers announced

OSCON 2005 is happening, Aug 1-5 in Portland, Oregon.
There’s a database track which includes MySQL (of course 😉

Now’s your chance to submit for the call for papers!
Talks, tutorials, workshops, BoFs….
See http://conferences.oreillynet.com/os2005/ for all details.
Deadline February 13th, but you don’t want to wait

I don’t know if I can be there yet myself, but who knows!
Never been there before, but everybody tells me it’s a great event.

Posted on
Posted on 2 Comments

New version of Eventum (1.4) released

You may or may not have heard of Eventum… it’s an issue tracking system that MySQL AB uses to manage its technical support.

Eventum’s history in a nutshell:
It was written by Joao Prado Maia, and it was already looking rather nifty before its first official release! However, MySQL support needed more, and nothing else came even close to being suitable.
After some talks, Joao and Eventum both joined MySQL AB, Joao continuing to work on Eventum (now joined by Bryan Alsdorf) and Eventum was released under the GPL license.

When doing talks at user groups and conferences, recently I’m often getting feedback from users who tell me that they use Eventum for their own internal or external needs, and that they really like it!
So that’s great news. Of course, systems such as these are always subject to your individual requirements and also your way of working. It may or may not suit you. But if you’re interested, do take a peek.

http://www.mysql.com/eventum/

Posted on 2 Comments
Posted on

Training in Sydney, Python meetup

Been teaching a MySQL training course in Sydney this week. I don’t get to teach training courses nearly as often as I’d like to – I love doing it. Nothing wrong with my main job though 😉

Met up with Pia Smith from Linux Australia this evening, played a dismal round of pool…. then visited a local Python meetup which happened to be at the same venue. They had some very interesting talks, and the organiser (Alan Green) is doing an excellent job there… see http://python.meetup.com/96/

Posted on
Posted on

PHP awarded Programming Language of 2004

PHP has been awarded the Programming Language of 2004, according to the TIOBE Programming Community Index.
This index uses information collected from the popular search engines, and are based on the world-wide availability of skilled engineers, courses and third party vendors.

I am a PHP fan, I know PHP is often used, but you generally hear more about Java, ASP.NET and such in the meanstream press. So PHP just happens without anyone making a fuss about it 😉
Take a peek at the graph. PHP is now in the same realm as VB + C# together.

But hey, I’m not saying one is better than the other! Use whatever is suitable for the needs of an application, and of course what you prefer and are comfortable with. I know fine things can be made with VB.Net, C#, and Java. I just like PHP because it allows me to quickly do things, and it’s close to C (which is where my origins lie).

As for MySQL APIs, they all have excellent support. I’ve made a little list of the most popular ones (I know there are many more):
– C: MYSQL C API
– Java: Connector/J
– .NET: Connector/Net
– PHP 4: PHP MySQL extension
– PHP 5: PHP “Improved” MySQL extension
– Perl: DBD::mysql module
– Python: MySQLdb
– ODBC: Connector/ODBC

Posted on
Posted on

MySQL User Groups

We have created a page for the MySQL User Groups: http://dev.mysql.com/user-groups/

I know that many more groups exist, but not which ones are active. So my question to you is, please use the feedback form from the page (or send a mail to: ug at mysql.com) to tell me about your user group!
Thanks!

Posted on
Posted on 4 Comments

MySQL UC tutorials – “Mastering Changes and Upgrades to Mission Critical Systems”

As earlybird registration for the MySQL User Conference is open, I’d like to draw your attention to one tutorial which I think is of particular interest: Mastering Changes and Upgrades to Mission Critical Systems, by Andrew Cowie of Operational Dynamics.
It is about how to plan upgrades (or any other changes) on mission critical systems. Of course this is highly relevant for MySQL installations. How do multiple teams interact, and how can you actually test your plans?

Now, I hear you think “I know all that”… but do you? Really? I’ve come to the conclusion that I don’t – that’s my honest answer. I now know there’s much more to it than meets the eye!
There’s people who make it their business to develop techniques for this, and Andrew is a good one. If you manage or are part of a team working with mission critical systems, I’d suggest that going to this tutorial would be time well spent.

Registration is at http://www.mysqluc.com/pub/w/35/register.html, remember it’s still earlybird time – you can save a bundle by registering sooner rather than later. I understand that earlybird registrations also receive some free O’Reilly or MySQL books!

The full list of tutorials is listed on http://www.mysqluc.com/pub/w/35/tutorials.html

Posted on 4 Comments
Posted on

“Thank you, Poland” on its EU swpat stance

http://thankpoland.info/
[snip]
The undersigned wish to express their sincere thanks to the Polish
government for their action to remove the “A-item” of adopting the
“Software Patent Directive” from the agenda of the Agricultural
Council meeting on December 21, 2004. It would have been a
horrible mistake for the European Union to adopt this “Software
Patent Directive”.
[snap]

Do add your name to the list!

The original story is here:
http://www.nosoftwarepatents.com/phpBB2/viewtopic.php?t=254

Posted on