Hi Roberto, This is great information! I've had MFIs and Mifos Specialists ask me the question of the best ways to secure their application and DB servers and this provides an excellent start on some guidelines.
We should definitely get this information up on Mifos.org in our sections for best practices around deploying Mifos and maintaining Mifos installations at MFIs. I'll look into the best location for this on mifos.org. Thanks, Aliya > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:mifos- > [EMAIL PROTECTED] On Behalf Of Roberto Musso > Sent: Tuesday, February 19, 2008 2:52 AM > To: [email protected] > Subject: [Mifos-developer] MySQL Security > > > Hi, > I checked how much Mifos db implemented on MySQL is fitting with the > security guidelines from MySQL: > http://dev.mysql.com/doc/refman/5.0/en/security-guidelines.html > > Here I reported thos e items and my conclusion: > > > > MySQL Reccomendations for Security > > > See [1]: > > > > > > When running MySQL, follow these guidelines whenever possible: > > > Do not ever give anyone (except MySQL root accounts) access to the user > table in the mysql database! This is critical. > > > Learn the MySQL access privilege system. The GRANT and REVOKE statements > are used for controlling access to MySQL. Do not grant more privileges > than necessary. Never grant privileges to all hosts. > > > Try mysql -u root. If you are able to connect successfully to the server > without being asked for a password, anyone can connect to your MySQL > server as the MySQL root user with full privileges! Review the MySQL > installation instructions, paying particular attention to the > information about setting a root password. See Section 2.4.16.3, > "Securing the Initial MySQL Accounts". > > > Use the SHOW GRANTS statement to check which accounts have access to what. > Then use the REVOKE statement to remove those privileges that are not > necessary > > > Do not store any plain-text passwords in your database. If your computer > becomes compromised, the intruder can take the full list of passwords > and use them. Instead, use MD5(), SHA1(), or some other one-way hashing > function and store the hash value. > > > Do not choose passwords from dictionaries. Special programs exist to break > passwords. Even passwords like "xfish98" are very bad. Much better is > "duag98" which contains the same word "fish" but typed one key to the > left on a standard QWERTY keyboard. Another method is to use a password > that is taken from the first characters of each word in a sentence (for > example, "Mary had a little lamb" results in a password of "Mhall"). > The > password is easy to remember and type, but difficult to guess for > someone who does not know the sentence. > > > > Notes on how much Mifos MySql foit with the recommendations > > > Point 1,2,3 and 4 seems conformed with the recommendations. > > Point 5: > In mifos the root password is in clear in the build.properties file: if > the > file or the password will be removed after the installation this proble > will not exists anymore. > The mifos password is using UpdateMifosPassword class to store an hash > value. > Tomcat supply a class to apply MD5, MD2 or SHA, see Digested Password: > http://tomcat.apache.org/tomcat-6.0-doc/realm- > howto.html#Digested%20Passwords > > Point 6: > To be investigated > > Best Regards > ------------------------------------------------------------------------ - > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
