Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

Securing a database on a shared hosting account


  • Please log in to reply
7 replies to this topic

#1 Dominique1

Dominique1

  •  Avatar image
  • Members
  • 841 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Local time:10:49 PM

Posted 20 January 2024 - 07:53 PM

I've searched for documents on securing a database to prevent cyber threats and also comply to new regulations.  I found an interesting one by IBM.
https://www.ibm.com/topics/database-security

Berkley's one is particularly interesting as a checklist on what to do, or not.
https://security.berkeley.edu/education-awareness/database-hardening-best-practices

Actually, all cloud providers have similar documents (Google, Microsoft, Amazon, ...)  This is all good theories, but on a smaller scale and on a smaller budget, using web hosting kind of forces the developer to do things that are not supposed to be done, ever.  For example:

  • Isolate the database from the website (front end), not the same server.
  • Do not hardcode the database access into the website source code.
  • Log database actions, but not in the database's own space.

These are all things that need to be done when you purchase a website hosting account.  Perhaps that this is a non-issue if 49% of breaches are because of a human error (stats mentioned in the IBM document), and the rest is perhaps because of zero-day exploits and corrupt employees.

To complexify things, another web hosting account can be purchased from another company so the database is really on a different server, and an HTTPS interface can then be designed as a proxy and a firewall to protect the database.  A bad actor might crack the website (front end) account, find out that the database account is on a different account, then try to crack it too.  So, only a matter of time for someone with motivation (and money rewards).

So, what do you think?  What should be done to protect a database on a shared hosting account?



BC AdBot (Login to Remove)

 


#2 Pkshadow

Pkshadow

  •  Avatar image
  • BC Advisor
  • 12,306 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:On the Brow of the Hill, West Coast, Canada
  • Local time:07:49 PM

Posted 20 January 2024 - 08:33 PM

Hi, you do not name your host.  Need to follow the rules of your host and the plan.

 

Question is also generalized so : https://www.google.com/search?client=firefox-b-d&q=What+should+be+done+to+protect+a+database+on+a+shared+hosting+account%3F


" mosquitoes really wake up everyday and choose violence "   — dalia (@_dalia7)
www.cnn.com/2020/07/23/health/mosquitoes-attraction-humans-future-wellness-scn/index.html
 

I-7 ASUS ROG Rampage II Extreme  / ASUS TUF Gaming F17 / I-7 4770K ASUS ROG Maximus VI Extreme


#3 Dominique1

Dominique1
  • Topic Starter

  •  Avatar image
  • Members
  • 841 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Local time:10:49 PM

Posted 20 January 2024 - 10:32 PM

I have not selected a host yet.  The reason to direct the question to hosting solutions is that these resources are easier to access for me.  Any ideas and concepts provided here will help my system development.  Imo, it's better to plan the development ahead instead of a hacker (good or bad) pointing out vulnerabilities of the system.  At that point, to me, it's already too late and damage may have been done.



#4 Dominique1

Dominique1
  • Topic Starter

  •  Avatar image
  • Members
  • 841 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Local time:10:49 PM

Posted 20 January 2024 - 10:37 PM

Question is also generalized so : https://www.google.com/search?client=firefox-b-d&q=What+should+be+done+to+protect+a+database+on+a+shared+hosting+account%3F

The first Google result for this search is actually my BC post#1. :hysterical:  I guess people replying here will also help other fellow developers.  :grinner: 



#5 Dominique1

Dominique1
  • Topic Starter

  •  Avatar image
  • Members
  • 841 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Local time:10:49 PM

Posted 24 January 2024 - 02:41 PM

Not many tip or hint flowing here from security researchers or forensic analysts. :scratchhead:   Would it be because Google search results are complete enough? or there are trade secrets not to be disclosed to keep the edge over treat actors?

I also searched for cyber attack statistics just to have a better idea of today's reality (that may not be the same for tomorrow, of course).  Results seem buried in tons of disappointing search results so I compiled this year's first 20 days of cyber attacks mentioned in BC stories.  Here's what I came up with:

Attached File  BC-Security-20DaysOf2024.gif   14.36KB   0 downloads

tbd is mostly ransomware attacks where the initial point of entry is not disclosed.  It could be stolen credentials through phishing, brute force, a software vulnerability, etc...  What caught my attention is credential stuffing attacks where credential stolen from elsewhere are tested on a new website just to see if it works.  It's not the company's fault per say, but it makes them look bad, for example Jason's Deli.  And not knowing how many users have been affected doesn't help their image either.  Adding code to notify users faster would be a step in the right direction, for example if their login are from a different and unexpected ISP.  I'm going to add that consideration into my system.  You've also got to protect the users from themselves too. :lmao:



#6 xBlueRobot

xBlueRobot

  •  Avatar image
  • BSOD Kernel Dump Expert
  • 404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:%systemroot%
  • Local time:03:49 AM

Posted 16 February 2024 - 04:26 AM

General tips?

  1. Only expose your database server to your web application server and configure your firewall correctly
  2. Ensure all your SQL queries are parameterised if you're using a SQL-based database
  3. Do not store any credentials in your source code, at least read from a configuration file or a key vault
  4. Ensure that the database user which the web application is using has least privilege i.e. don't give write permissions if it isn't needed
  5. Ideally, have the database server and web application server as separate instances and place them behind some kind of reverse proxy 


#7 Dominique1

Dominique1
  • Topic Starter

  •  Avatar image
  • Members
  • 841 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Local time:10:49 PM

Posted 16 February 2024 - 04:24 PM

Thanks! :busy:



#8 Dominique1

Dominique1
  • Topic Starter

  •  Avatar image
  • Members
  • 841 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Local time:10:49 PM

Posted 23 February 2024 - 08:16 PM

Some further guidelines for inspiration:

https://www.bleepingcomputer.com/news/security/us-govt-shares-cyberattack-defense-tips-for-water-utilities/

:)


Edited by Dominique1, 23 February 2024 - 08:17 PM.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users