kwame

tail -f /dev/me

Latest Posts

Restricting mysql access to a user based on his source ip

mysql

mysqlOne of the most challenging aspects of working as a sysadmin is the broad scope of the tasks you have to work on. In a single day’s work you could be asked to look into a security report and take the appropriate steps to address it and fix it. You can also be brought into an alert reported by a monitoring system and do various things, such as, modify the threshold of the alert since it was a false positive and / or look into the alert itself and fix it. You can be asked to modify some application software to be able to handle the load it’s receiving by changing its settings or just deploy a second or more instances of this application and place all of them behind a load balancer so the load is spread between all of the app servers, all of this, without any downtime or interrupting the sessions of users already logged into your application. You can also be tasked to lock down the access to an application on a specific layer and you need to be able to do it in a very short amount of time since the application might be vulnerable or under attack.

All of these aspects make a sysadmin’s work day a very interesting one. I was recently asked to restrict access to MySQL and allow users to be able to connect from only a specific network segment. If I had just been asked to restrict access to MySQL based on network segment (this is a high traffic MySQL server running on a Linux server) I would have used iptables right out of the bat and be done with the task, but the request was to restrict access in the database itself.

So I went to the MySQL documentation site and followed some pointers. Fired up a VM to do some tests and these are the steps I would follow to achieve such task.

1. Review grants for the user which I want to lock down:

[root@workvm ~]# mysql -u root -p -h localhost
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.1.73 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> select user,host from mysql.user;
+-------+--------------------+
| user  | host               |
+-------+--------------------+
| kwame | %                  |
| root  | 127.0.0.1          |
|       | localhost          |
| kwame | localhost          |
| root  | localhost          |
|       | workvm.pythian.com |
| root  | workvm.pythian.com |
+-------+--------------------+
7 rows in set (0.00 sec)

mysql> show grants for 'kwame'@'%';
+------------------------------------------------------------------------------------------------------+
| Grants for kwame@%                                                                                   |
+------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'kwame'@'%' IDENTIFIED BY PASSWORD '*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19' |
| GRANT ALL PRIVILEGES ON `db1`.* TO 'kwame'@'%'                                                       |
+------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql>

In this case we want to restrict access to the user ‘kwame’ to have access only from 192.168.100.x

2. Remove access to this user:


mysql> delete from user where user='kwame' and host='%';
Query OK, 1 row affected (0.00 sec)

mysql> delete from user where user='kwame' and host='localhost';
Query OK, 1 row affected (0.00 sec)

mysql>

3. Grant access to the user only from 192.168.100.x


mysql> grant all privileges on `db1`.* TO 'kwame'@'192.168.100.%' identified by 'password';
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> show grants for 'kwame'@'192.168.100.%';
+------------------------------------------------------------------------------------------------------------------+
| Grants for kwame@192.168.100.%                                                                                   |
+------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'kwame'@'192.168.100.%' IDENTIFIED BY PASSWORD '*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19' |
| GRANT ALL PRIVILEGES ON `db1`.* TO 'kwame'@'192.168.100.%'                                                       |
+------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

mysql> select user,host from mysql.user;
+-------+--------------------+
| user  | host               |
+-------+--------------------+
| root  | 127.0.0.1          |
| kwame | 192.168.100.%      |
|       | localhost          |
| root  | localhost          |
|       | workvm.pythian.com |
| root  | workvm.pythian.com |
+-------+--------------------+
6 rows in set (0.00 sec)

mysql> 


4. Confirm the access is working only from the expected source:

[kwame@workvm ~]$ ifconfig | grep 'inet addr' | grep 100
          inet addr:192.168.100.194  Bcast:192.168.100.255  Mask:255.255.255.0
[kwame@workvm ~]$ mysql -u kwame -p -h 192.168.100.194
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 5.1.73 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show grants;
+------------------------------------------------------------------------------------------------------------------+
| Grants for kwame@192.168.100.%                                                                                   |
+------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'kwame'@'192.168.100.%' IDENTIFIED BY PASSWORD '*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19' |
| GRANT ALL PRIVILEGES ON `db1`.* TO 'kwame'@'192.168.100.%'                                                       |
+------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

mysql>


The Heartbleed Bug

Today we woke up with a very fun and interesting news made public here http://heartbleed.com/

heartbleed

heartbleed

In short what this means is that all internet, IM, email and vpn communications that you thought where encrypted and secured, they are not. This is related to a bug in the OpenSSL software used to encrypt such communications.
Even more interesting is that according to this report, if your server was compromised there is no log or any evidence that it ever happened.
The OpenSource community is actively releasing patched to address this bug.
So, if you where p3wn3d, don’t worry about it, nobody will ever know it, not even your self :-)

Patch and keep safe!

Cheers!

A lightweight screen locker

For a long time I’ve been using Awesome as my window manager and Xscreensaver (by Jamie Zawinski) has been my screensaver of choice.
Recently I started looking for something even more lightweight than Xscreensaver and I found i3lock.
i3locki3lock is a simple screen locker like slock. After starting it, you will see a white screen (you can configure the color/an image). You can return to your screen by entering your password. To install it on your Debian system all you need to do is an:

apt-get install i3lock 

I would recommend to install xautolock. This is a program to start up programs in case of user inactivity in X.
After you’ve installed both programs you can set the timer for i3lock to start up with something like this:

xautolock -time 5 -locker i3lock

Taking a look at the options from i3lock I saw that I can specify an image instead of the default white color. I chose a Linux wallpaper with this option:

xautolock -time 5 -locker "i3lock --image=/home/kwame/Pictures/linux_wallpaper.png -t"

Hope you find this useful.

CentOS kvm clone no muestra el device eth0

Desde ya hace un buen rato estoy utilizando KVM para manejar mis VMs en Linux (ya sea fedora o debian). Tengo una imagen base de CentOS 6 con la cuál, cuando necesito de otra máquina para hacer pruebas, solamente la clono y listo, tengo una máquina list en unos 3-4 minutos para poder hacer las pruebas que necesito.

Una cosa que me molestaba al clonar máquinas es que la interfaz eth0 no es reconocida en el nuevo sistema, siempre tengo eth1. Después de googlear e investigar un poco, esto se debe a que “udev” recuerda los settings de la NIC que fue clonada. Al levantar la máquina recien clonada, busca los settings, específicamente la mac address de la máquina original, pero como en la máquina clonada tenemos un nuevo mac address para la interfaz, entonces udev nombra a esta interfaz como eth1.

[root@centos-lvm ~]# ifconfig -a
eth1      Link encap:Ethernet  HWaddr 52:54:00:04:65:ED  
          inet addr:192.168.0.104  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::5054:ff:fe04:65ed/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:116 errors:0 dropped:0 overruns:0 frame:0
          TX packets:53 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:14386 (14.0 KiB)  TX bytes:8810 (8.6 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

[root@centos-lvm ~]# ls /sys/class/net/
eth1  lo
[root@centos-lvm ~]# 

Solucionar esto es realmente sencillo. Solo tienes que modiciar el archivo /etc/udev/rules.d/70-persisten-net.rules de la siguiente manera.

Archivo original:

[root@centos-lvm ~]# cat /etc/udev/rules.d/70-persistent-net.rules
# This file was automatically generated by the /lib/udev/write_net_rules
# program, run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single
# line, and change only the value of the NAME= key.

# PCI device 0x1af4:0x1000 (virtio-pci)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="52:54:00:bf:b4:70", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"

# PCI device 0x1af4:0x1000 (virtio-pci)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="52:54:00:04:65:ed", ATTR{type}=="1", KERNEL=="eth*", NAME="eth1"
[root@centos-lvm ~]# 

Archivo modificado:

[root@centos-lvm ~]# cat /etc/udev/rules.d/70-persistent-net.rules
# This file was automatically generated by the /lib/udev/write_net_rules
# program, run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single
# line, and change only the value of the NAME= key.

# PCI device 0x1af4:0x1000 (virtio-pci)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="52:54:00:04:65:ed", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"
[root@centos-lvm ~]# 

Después de modificar este archivo solo es cuestión de modificar tu /etc/sysconfig/network-scripts/ifcfg-eth0 con su correspondiente mac address, reiniciar tu VM y listo, vas a tener eth0 disponible en tu sistema.

Posts 2012

Si, desafortunadamente los 8 posts que había escrito en el 2012 los perdí por no haber tenido un respaldo actualizado de la base de datos de mi blog.
Lección aprendida.

Actualmente estoy ya un poco más normalizado de carga de trabajo, se me hace increíble que ya estoy cerca de cumplir 9 meses trabajando en Pythian. Tengo ya en mi borrador los temas que quiero tomar en mis siguientes posts, podcasts y screencasts.

Estoy seguro que este 2013 va a ser un año en donde voy a retomar mi vocación bloggera.

Saludos!

m4s0n501

Sesiones Linuxeras en la UABC – Campus Valle Dorado

El 4 de mayo pasado tuve la oportunidad de participar en el 2do. Simposium Estudiantil de Informática en la UABC, Campus Valle Dorado. Impartí una plática sencilla acerca de Open Source Software y como se utiliza en el ámbito empresarial.

En ese simposium hubo muy buena interacción con los participantes y mucho entusiasmo en cuanto a aprender más acerca del Software Libre. Por tal motivo les ofrecí dar un curso de Linux. De manera muy amable consiguieron un aula con el equipo necesario para impartir este curso. El número de computadoras es limitado en el aula que nos van a prestar, pero si estás interesado en aprender un poco de Linux y tienes laptop para poder realizar las prácticas (y estás en Ensenada, BC.), asiste este próximo martes 7 de junio del 2011 a las 18:30 hrs al laboratorio FCAYS que se encuentra en la planta baja del edificio D de la UABC Campus Valle Dorado.

Obviamente no solo va a ser un martes, si quieres iniciar este curso y obtener más detalles asiste, el único requisito es mucha disposición y ganas de aprender.

Cualquier dato adicional que requieras saber antes del curso, me puedes preguntar aquí o por twitter, mi id es @informatux

Saludos!

Puppet podcast

Este podcast lo grabamos hace ya unas cuantas semanas pero por falta de tiempo no lo había editado para publicarlo. Muchas gracias a Tony por su tiempo para hablar de Puppet.

 

También estoy trabajando en una documentación acerca de como dar los primero pasos para utilizar Puppet. Para quiénes no conozcan Puppet, pueden buscar info acerca de este software en http://www.puppetlabs.com/

Saludos!

Kwame