Skill Check Securing MySQL
Examine this command and output: SHOW STATUS LIKE ‘Connection_control%’; | Variable_name | Value | | Connection_control_delay_generated | 7 | 1 row in set (#.## sec) Which is true?
MySQL server added a delay for failed connection attempts seven times.
The maximum possilbe added delay is seven milliseconds.
A seven millisecond delay is added for each consecutive connection failure.
Seven successive failures are permitted before adding a delay.
Which command displays the name of the file containing a server’s digital certificate?
mysql> SHOW GLOBAL VARIABLES LIKE ‘ssl_cipher’;
mysql> SHOW SESSION STATUS LIKE ‘Ssl_cipher%’\G
mysql> SHOW GLOBAL VARIABLES LIKE ‘ssl_%’;
mysql> SHOW SESSION STATUS LIKE ‘Ssl_version’;
Which command registers the appuser@apphost account for firewall training?
CALL mysql.sp_set_firewall_mode(‘appuser@apphost’, ‘PROTECTING’)
CALL mysql.sp_set_firewall_mode(‘appuser@apphost’, ‘OFF’)
CALL mysql.sp_set_firewall_mode(‘appuser@apphost’, ‘RECORDING’)
CALL mysql.sp_set_firewall_mode(‘appuser@apphost’, ‘RESET’)
Which statements are true about Brute Force attacks? (Choose two)
They are slow as they require lots of CPU.
They perform hashing operations on combinations of dictionary words and characters.
They match target password hashes against rainbow tables.
They perform hashing operations on the characters to find matching hashes.
They compare password hashes against the stored hashes in the MySQL database.
After firewall training is complete, which modes will make the statement digest persistent in the account’s whitelist cache? (Choose two)
RECORDING
PROTECTING
OFF
DETECTING
RESET
The -ssl-mode option in your configuration is VERIFY_CA. What does this do?(Choose two)
It establishes secure connections or fails if unable to do so.
It checks whether host names match the Common Name value in the server certificate.
It establishes secure connections if it can but if not then unsecure connections are eastablished.
It verifies server digital certificates with the Certificate Authority.
It verifies that server digital certificates match the MySQL server hosts.
Skill Check Securing MySQL
Examine this command and output: SHOW STATUS LIKE ‘Connection_control%’; | Variable_name | Value | | Connection_control_delay_generated | 7 | 1 row in set (#.## sec) Which is true?
MySQL server added a delay for failed connection attempts seven times.
The maximum possilbe added delay is seven milliseconds.
A seven millisecond delay is added for each consecutive connection failure.
Seven successive failures are permitted before adding a delay.
答案:
MySQL server added a delay for failed connection attempts seven times.
说明:
• Inspects the value of the Connection_control_delay_generated status variable
– Counts the number of times the server added a delay for a failed connection attempt
– Example:
• Considers installing the CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS plugin
– Creates a table in the Information Schema to maintain more detailed information
about failed connection attempts
— The Connection-Control plugin populates the table.
Which command displays the name of the file containing a server’s digital certificate?
mysql> SHOW GLOBAL VARIABLES LIKE ‘ssl_cipher’;
mysql> SHOW SESSION STATUS LIKE ‘Ssl_cipher%’\G
mysql> SHOW GLOBAL VARIABLES LIKE ‘ssl_%’;
mysql> SHOW SESSION STATUS LIKE ‘Ssl_version’;
答案:
mysql> SHOW GLOBAL VARIABLES LIKE ‘ssl_%’;
说明:
The following is an example displaying the current name of the file in the data directory that contains
the list of trusted Certificate Authorities:
mysql> SHOW GLOBAL VARIABLES LIKE ‘ssl_ca’;
+—————+——–+
| Variable_name | Value |
+—————+——–+
| ssl_ca | ca.pem |
+—————+——–+
1 row in set (0.00 sec)
Which command registers the appuser@apphost account for firewall training?
CALL mysql.sp_set_firewall_mode(‘appuser@apphost’, ‘PROTECTING’)
CALL mysql.sp_set_firewall_mode(‘appuser@apphost’, ‘OFF’)
CALL mysql.sp_set_firewall_mode(‘appuser@apphost’, ‘RECORDING’)
CALL mysql.sp_set_firewall_mode(‘appuser@apphost’, ‘RESET’)
答案:
CALL mysql.sp_set_firewall_mode(‘appuser@apphost’, ‘RECORDING’)
说明:
Registering Accounts with the Firewall
Register an account by setting its initial firewall mode.
• The account name is in the full user@host format, stored as a single string.
• To register an account that is not initially controlled by the firewall, set the mode to OFF.
• To register an account for firewall training, set the initial mode to RECORDING.
– If you set an initial mode of PROTECTING, the account cannot execute any
statements because its whitelist is empty.
Which statements are true about Brute Force attacks? (Choose two)
They are slow as they require lots of CPU.
They perform hashing operations on combinations of dictionary words and characters.
They match target password hashes against rainbow tables.
They perform hashing operations on the characters to find matching hashes.
They compare password hashes against the stored hashes in the MySQL database.
答案:
They are slow as they require lots of CPU.
They perform hashing operations on the characters to find matching hashes.
说明:
CHow Attackers Derive Passwords
Attackers can derive plain text passwords from hashed passwords by using the following
techniques:
• Brute force algorithms perform the hashing algorithm on many combinations of
characters to find matching hashes.
– These attacks are very slow and require large amounts of computation.
• Dictionary attacks perform hashing operations on combinations of dictionary words and
other characters.
– These are fast if the password is not secure.
• Rainbow tables are made up of the first and last hashes in long chains of repeatedly
hashed and reduced passwords.
– When you run a target password hash through the same algorithm chain and find a
match to the end of a stored chain, you can derive the password by replaying that
chain
After firewall training is complete, which modes will make the statement digest persistent in the account’s whitelist cache? (Choose two)
RECORDING
PROTECTING
OFF
DETECTING
RESET
答案:
OFF
PROTECTING
说明:
Training the Firewall
• Register the account in RECORDING mode.
• The firewall creates a normalized statement digest for each statement and places the
digest in the account’s whitelist cache.
• Switch the mode to PROTECTING or OFF when training is complete to persist the
whitelist.
– The firewall persists the cache when you change the account’s mode.
– If you restart the mysqld process while in RECORDING mode, any changes to that
account’s whitelist cache are lost.
• Return to RECORDING mode to learn new statements if the application changes.
– Changing mode from OFF or PROTECTING to RECORDING does not clear the
account’s whitelist.
The -ssl-mode option in your configuration is VERIFY_CA. What does this do?(Choose two)
It establishes secure connections or fails if unable to do so.
It checks whether host names match the Common Name value in the server certificate.
It establishes secure connections if it can but if not then unsecure connections are eastablished.
It verifies server digital certificates with the Certificate Authority.
It verifies that server digital certificates match the MySQL server hosts.
答案:
It establishes secure connections or fails if unable to do so.
It verifies server digital certificates with the Certificate Authority.
说明:
Setting Client Options for Secure Connections
Use the –ssl-mode option, which accepts the following values:
• PREFERRED: Establishes a secure connection if possible or falls back to
an unsecure connection. This is the default if –ssl-mode is not
specified.
• DISABLED: Establishes an insecure connection
• REQUIRED: Establishes a secure connection if possible or fails if unable
to establish a secure connection
• VERIFY_CA: As for REQUIRED, but also verifies the server digital
certificate with the Certificate Authority
• VERIFY_IDENTITY: As for VERIFY_CA, but also verifies that the
server digital certificate matches the MySQL server host
No Responses (yet)
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.