Open Source

Firewall MySQL with GreenSQL

GreenSQL is a "firewall" for MySQL databases that could help protect your database from SQL injection vulnerabilities. Vincent Danen introduces this application and tells you how to install it.

A large number of attacks on Web sites and Web applications are directly related to what is known as SQL injection vulnerabilities. This is a very real problem with some applications that are written poorly; it allows a remote user to send arbitrary SQL commands to the database server by manipulating data sent to the Web server and piggy-backing the SQL commands against legitimate database queries executed by the Web application, usually without any prior checking or sanitization by the Web application.To get one up on these flaws, GreenSQL is a "firewall" for MySQL databases. What it does is intercept SQL commands being sent to MySQL, checks them, and then either halts the query or passes it on to MySQL proper. Then it returns the query results to the calling application.

GreenSQL provides binary packages for some Linux distributions. If your distribution and/or version is not listed at the download page, download the greensql-console and greensql-fw tarballs. To install from source, execute the following, once the two files have been downloaded:

# tar xvzf greensql-fw-0.9.4.tar.bz2
# cd greensql-fw-0.9.4
# ./build.sh
# greensql-create-db.sh

The last command will create the necessary MySQL database for GreenSQL, so you must ensure that MySQL is running and configured to listen to a port (in other words, make sure that "skip-networking" is not set in /etc/my.cnf).

To start and test GreenSQL, use:

# greensql-fw -p /etc/greensql &
# mysql -u root -h 127.0.0.1 -P 3305 -p

The GreenSQL proxy listens on port 3305. This will mean that any applications that are to be proxied through GreenSQL will need to be configured not to use local UNIX sockets or to connect to port 3306 on the local host, but instead should connect via port 3305.

The greensql-console package provides a Web interface that can be used to see what queries have been blocked, and you can also use it to configure what GreenSQL will block, what it should permit, and so forth. Untar the greensql-console tarball into your Web tree, where it will live, and adjust config.php to suit your chosen GreenSQL username, password, and database name.

As well, if you installed GreenSQL from source, you will want to ensure that GreenSQL will start at every system boot. Depending on your Linux distribution, it could be as easy as copying an initscript from the greensql-fw source tree (such as rpm/greensql-fw.redhat.init), or you may wish to add it to your local startup script.

Get the PDF version of this tip here.

Delivered each Tuesday, TechRepublic's free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

10 comments
cmoewes
cmoewes

I have to agree with TJ. While this is a nice tool, it really just creates a crutch for sloppy programming. By using good OO design and always validating and testing user entered data, tools like this shouldn't be required. That being said, for web hosting companies and people using software they didn't write, this is probably a useful tool.

walleed222
walleed222

it is really nice to have injection firewall , is there like that for other database engines?

pgit
pgit

I'd never heard of this. But I checked and my distribution (Mandriva) has already packaged it. Thanks for the tip. This Tech Republic is better than sliced bread.

TJ111
TJ111

In an ideal application with competent security measures and decent programming, something like this should never be required. However I recently adopted one of those applications that give PHP a bad name (hundreds of pages, each having 2k+ lines of tag soup and inline logic); and having something like this sitting between it and the database would give me at least *some* ease of mind.

WebDevBB
WebDevBB

Currently MySQL only, but it looks like they're going to look at protecting PostgreSQL at some point in the future.

fluttervertigo
fluttervertigo

Sourceforge and Freshmeat have the GreenSQL project.

vdanen
vdanen

I'm not aware of any, no. There might be... you'd have to hunt around a bit and find out I guess. Freshmeat might be a good place to start (freshmeat.net IIRC).

fluttervertigo
fluttervertigo

[[ However I recently adopted one of those applications that give PHP a bad name (hundreds of pages, each having 2k+ lines of tag soup and inline logic) ]] And now you know why I say 98% of the people in the IT industry don't belong. They think they like it because it makes them smart. People stroke their egos about how smart they are. There's a shortage and this ensures they'll be around someplace where they think they can solve everyone's problems. The problem is they really don't know what they are doing. They truly don't have the skills to do it correctly. It has nothing to do with logic or any other skills which one might associate with being a good coder. You don't have to be good, just good enough. (Unfortunately, that's not good enough) There's all sorts of things which apply to all of this: Bad coders write bad code faster than good coders can fix it. Bad coders can write bad code faster than good coders can rewrite it. Bad coders can get code into some form of test cycle, overtly showing progress, making good coders look bad. ... The only thing worse than having one of these morons running loose (alone) with a keyboard is two of them, working together with XP. The crap from each bounces off of the other, producing feedback which seems to grow like hangers in a dark closet. Eventually, the result is a coding clusterfuck. The only thing worse than XP is off-shoring. Me? My programming sucks. I'm 46. I'm hoping to learn enough to write things which are reasonably decent within the next 15-20 years. After that, I'll have to be careful. I grew up hearing no one retires from IT. They either change professions or die.

nedvis
nedvis

I work for WEB hosting company and I really know what a paint it is to hunt down yahoo_counter and other injected scripts interlaced in our clients' databases. With 150 to 250 Terabytes worth of data a grep search can take up to 12 hours and is very inefficient way of troubleshooting SQL injection. Green SQL looks promising and I've just sent a link to my colleges in data center to consider it for deployment on our RedHat Enterprise boxes. Thank you for a great tip Vincent!

csmith.kaze
csmith.kaze

i have to maintain a php/mysql database at my business, though I at least wrote it. I am still not sure if it is secure. Is there a way to test the code to see if it can be hijacked and used to take over your database? I will admit upfront that I am new to both php and databases. Security is always a concern of mine, but I am sure I cut corners like crazy to get the site up asap.

Editor's Picks