Protect your MySQL Database

How To

ProxySQL: firewall

This site is created as a demo to my Percona Live's Online presentation "Creating OpenSource SQL Firewall". We use ProxySQL whitelist firewall feature to protect MySQL from sql injections (aka "bobby drop tables").

Course of action:

  1. Train:

    • collect all good SQL queries (digest)

    • create whitelist

  2. Test: set mode to DETECTING and check error log

  3. Protect: disallow everything except for “whitelist”

    • (set mode to PROTECTING)

Training

Admin> select username,schemaname, digest, digest_text from stats_mysql_query_digest;

+----------+------------+--------------------+----------------------------------------+

| username | schemaname | digest | digest_text |

+----------+------------+--------------------+----------------------------------------+

| root | books | 0x4F5409F6260C29DB | SELECT * FROM books WHERE published=?; |

| root | books | 0xEA3B9B4F6B08A3C0 | SELECT * FROM books WHERE id=?; |

| root | books | 0x631F24A2FB9B82E0 | SET AUTOCOMMIT = ? |

+----------+------------+--------------------+----------------------------------------+

3 rows in set (0.00 sec)

Detecting

Testing

$ tail /var/lib/proxysql/proxysql.log

2020-05-17 19:11:08 Query_Processor.cpp:1742:process_mysql_query(): [WARNING] Firewall detected unknown query with digest 0x2D63306C4FDC72DF from user root@172.18.0.2

Protection

Admin> update mysql_firewall_whitelist_users set mode = 'PROTECTING' where username = 'root';

Admin> LOAD MYSQL FIREWALL TO RUNTIME;

Now we should expect errors on all unknown queries:


Screen Shots

I have created a simple POC web interface to simplify working with ProxySQL firewall. Switching from OFF to DETECTING to PROTECTING and will load collected query digests to firewall rules.