Open Source

Firewall MySQL with GreenSQL

GreenSQL is a "firewall" for MySQL databases that could help protect your database from SQL injection vulnerabilities. Vincent Danen introduces this application and tells you how to install it.

A large number of attacks on Web sites and Web applications are directly related to what is known as SQL injection vulnerabilities. This is a very real problem with some applications that are written poorly; it allows a remote user to send arbitrary SQL commands to the database server by manipulating data sent to the Web server and piggy-backing the SQL commands against legitimate database queries executed by the Web application, usually without any prior checking or sanitization by the Web application.To get one up on these flaws, GreenSQL is a "firewall" for MySQL databases. What it does is intercept SQL commands being sent to MySQL, checks them, and then either halts the query or passes it on to MySQL proper. Then it returns the query results to the calling application.

GreenSQL provides binary packages for some Linux distributions. If your distribution and/or version is not listed at the download page, download the greensql-console and greensql-fw tarballs. To install from source, execute the following, once the two files have been downloaded:

# tar xvzf greensql-fw-0.9.4.tar.bz2
# cd greensql-fw-0.9.4
# ./

The last command will create the necessary MySQL database for GreenSQL, so you must ensure that MySQL is running and configured to listen to a port (in other words, make sure that "skip-networking" is not set in /etc/my.cnf).

To start and test GreenSQL, use:

# greensql-fw -p /etc/greensql &
# mysql -u root -h -P 3305 -p

The GreenSQL proxy listens on port 3305. This will mean that any applications that are to be proxied through GreenSQL will need to be configured not to use local UNIX sockets or to connect to port 3306 on the local host, but instead should connect via port 3305.

The greensql-console package provides a Web interface that can be used to see what queries have been blocked, and you can also use it to configure what GreenSQL will block, what it should permit, and so forth. Untar the greensql-console tarball into your Web tree, where it will live, and adjust config.php to suit your chosen GreenSQL username, password, and database name.

As well, if you installed GreenSQL from source, you will want to ensure that GreenSQL will start at every system boot. Depending on your Linux distribution, it could be as easy as copying an initscript from the greensql-fw source tree (such as rpm/greensql-fw.redhat.init), or you may wish to add it to your local startup script.

Get the PDF version of this tip here.

Delivered each Tuesday, TechRepublic's free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!


Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

Editor's Picks