存储数据库密码的最佳实践

时间:2021-06-29 17:00:43

I am developing a custom server application that will access a database. I need to decide where I will store the credentials (and to address) to that server.

我正在开发一个自定义服务器应用程序,它将访问数据库。我需要决定将凭据(和地址)存储到该服务器的哪个位置。

A common solution is to put the credential in a config file. However, I do not want a compromised server to mean that the hacker has access to the DB (which is hosted on a separate server).

一个常见的解决方案是将凭据放在配置文件中。但是,我不希望攻击服务器意味着黑客可以访问DB(它驻留在一个单独的服务器上)。

I could store the credentials in the environment, but that is just security through obscurity. Mr. Evil can just look in the environment to find it.

我可以将凭据存储在环境中,但这只是通过隐藏进行的安全性。邪恶先生可以在环境中找到它。

Someone suggested encryption. However, if I store the key in the executable, a quick de-compile (we are using Java) and I am still doomed.

有人建议加密。但是,如果我将密钥存储在可执行文件中,快速反编译(我们正在使用Java),那么我仍然注定要失败。

I also want to avoid having to enter a paraphrase every time I start the server.

我还想避免每次启动服务器时都要输入解释。

Any suggestions? I feel like I'm missing something simple.

有什么建议吗?我觉得我错过了一些简单的东西。

Thanks

谢谢

3 个解决方案

#1


5  

I don't think you're missing something simple. Either the server in question can connect to the database without your help, in which case it has to have the credentials; or it cannot connect without your supplying them. You can take various steps like the ones you've listed to make it harder for a compromised server to reveal the credentials to the database, but at the end of the day, if it has to have those credentials and supply them to the DB server to connect, they'll have to be stored on it somewhere — or at least, it will have to have some means of getting them, and so will be hackable in that sense.

我不认为你错过了什么简单的东西。在没有您的帮助下,相关的服务器可以连接到数据库,在这种情况下,它必须具有凭证;或者没有你的供应它就无法连接。你可以采取各种步骤的上市让破坏服务器更难揭示凭据到数据库,但在一天结束的时候,如果有这些证书和供应他们DB服务器连接,他们必须被存储在某处——或者至少,它必须有一些让他们的手段,因此将可删节。

Your best bet is to focus on finding out about intrusions (compromised servers) as quickly as possible, keeping good off-site, off-line backups for the worst case, putting up lots of barriers to intrusion in the first place, etc.

最好的办法是尽快发现入侵(被入侵的服务器),在最坏的情况下保持良好的离线备份,首先设置大量的入侵壁垒等等。

#2


3  

I am sharing, the way I had solved this.

我在分享,我解决这个问题的方法。

  • Build API, to query the authentication details from a foreign domain.
  • 构建API,以查询来自外部域的身份验证细节。
  • Use public key, and private key to read through the details.
  • 使用公钥和私钥阅读细节。

But, honestly the only thing this did was over complicate simple things. After that, I created several users to the database, with different privileges.

但是,老实说,这做的唯一一件事就是把简单的事情复杂化了。之后,我为数据库创建了几个具有不同权限的用户。

Like

就像

  • guest can only to SELECT
  • 客人只能选择。
  • mod can only CREATE, INSERT, UPDATE, DELETE
  • mod只能创建、插入、更新、删除

etc and switched the user, whenever authenticated users appeared.

并切换用户,无论何时出现经过身份验证的用户。

With the combination of users and session, I have been able to escape the threats so far. But ofcourse the code vulnerability have to be tested thoroughly.

通过用户和会话的结合,到目前为止我已经能够避免威胁。但是,当然,必须对代码漏洞进行彻底的测试。

#3


2  

Lock it down. Prevent Mr. Evil from gaining root. I know, easy right?

锁定下来。阻止邪恶先生扎根。我知道,很容易是吧?

Write a secure application and keep your application server locked down. Follow best practices there, and that's most of the work.

编写一个安全的应用程序并将应用程序服务器锁定。遵循最佳实践,这是大部分工作。

When I've setup databases in a secure environment, the only server that was on the same physical network with the database server was the application server. There were two ways to access the database server:

当我在安全环境中设置数据库时,与数据库服务器位于同一物理网络上的惟一服务器就是应用服务器。访问数据库服务器有两种方式:

  1. Application server
  2. 应用程序服务器
  3. Console
  4. 控制台

Therefore, in order to compromise the database server, they'd have to compromise the application server.

因此,为了危及数据库服务器,他们必须危及应用服务器。

So, lock down the application server. Of course the only thing worse than being compromised is being compromised and not knowing about it. If you do discover a compromise, you need to fix the vulnerability if there was one. Forensics are important here (enable logs and monitor them). You also need a recovery plan in place.

因此,锁定应用程序服务器。当然,比被妥协更糟糕的事情是被妥协而不知道。如果您确实发现了一个折衷方案,您需要在存在漏洞的情况下修复该漏洞。法医在这里很重要(启用日志并监视它们)。你还需要一个适当的恢复计划。

Prevention, detection, correction, and recovery are paramount.

预防、检测、纠正和恢复是最重要的。

#1


5  

I don't think you're missing something simple. Either the server in question can connect to the database without your help, in which case it has to have the credentials; or it cannot connect without your supplying them. You can take various steps like the ones you've listed to make it harder for a compromised server to reveal the credentials to the database, but at the end of the day, if it has to have those credentials and supply them to the DB server to connect, they'll have to be stored on it somewhere — or at least, it will have to have some means of getting them, and so will be hackable in that sense.

我不认为你错过了什么简单的东西。在没有您的帮助下,相关的服务器可以连接到数据库,在这种情况下,它必须具有凭证;或者没有你的供应它就无法连接。你可以采取各种步骤的上市让破坏服务器更难揭示凭据到数据库,但在一天结束的时候,如果有这些证书和供应他们DB服务器连接,他们必须被存储在某处——或者至少,它必须有一些让他们的手段,因此将可删节。

Your best bet is to focus on finding out about intrusions (compromised servers) as quickly as possible, keeping good off-site, off-line backups for the worst case, putting up lots of barriers to intrusion in the first place, etc.

最好的办法是尽快发现入侵(被入侵的服务器),在最坏的情况下保持良好的离线备份,首先设置大量的入侵壁垒等等。

#2


3  

I am sharing, the way I had solved this.

我在分享,我解决这个问题的方法。

  • Build API, to query the authentication details from a foreign domain.
  • 构建API,以查询来自外部域的身份验证细节。
  • Use public key, and private key to read through the details.
  • 使用公钥和私钥阅读细节。

But, honestly the only thing this did was over complicate simple things. After that, I created several users to the database, with different privileges.

但是,老实说,这做的唯一一件事就是把简单的事情复杂化了。之后,我为数据库创建了几个具有不同权限的用户。

Like

就像

  • guest can only to SELECT
  • 客人只能选择。
  • mod can only CREATE, INSERT, UPDATE, DELETE
  • mod只能创建、插入、更新、删除

etc and switched the user, whenever authenticated users appeared.

并切换用户,无论何时出现经过身份验证的用户。

With the combination of users and session, I have been able to escape the threats so far. But ofcourse the code vulnerability have to be tested thoroughly.

通过用户和会话的结合,到目前为止我已经能够避免威胁。但是,当然,必须对代码漏洞进行彻底的测试。

#3


2  

Lock it down. Prevent Mr. Evil from gaining root. I know, easy right?

锁定下来。阻止邪恶先生扎根。我知道,很容易是吧?

Write a secure application and keep your application server locked down. Follow best practices there, and that's most of the work.

编写一个安全的应用程序并将应用程序服务器锁定。遵循最佳实践,这是大部分工作。

When I've setup databases in a secure environment, the only server that was on the same physical network with the database server was the application server. There were two ways to access the database server:

当我在安全环境中设置数据库时,与数据库服务器位于同一物理网络上的惟一服务器就是应用服务器。访问数据库服务器有两种方式:

  1. Application server
  2. 应用程序服务器
  3. Console
  4. 控制台

Therefore, in order to compromise the database server, they'd have to compromise the application server.

因此,为了危及数据库服务器,他们必须危及应用服务器。

So, lock down the application server. Of course the only thing worse than being compromised is being compromised and not knowing about it. If you do discover a compromise, you need to fix the vulnerability if there was one. Forensics are important here (enable logs and monitor them). You also need a recovery plan in place.

因此,锁定应用程序服务器。当然,比被妥协更糟糕的事情是被妥协而不知道。如果您确实发现了一个折衷方案,您需要在存在漏洞的情况下修复该漏洞。法医在这里很重要(启用日志并监视它们)。你还需要一个适当的恢复计划。

Prevention, detection, correction, and recovery are paramount.

预防、检测、纠正和恢复是最重要的。