StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>If the scripts don't use prompting, and somehow know the db password then the attacker can execute any of your scripts and do those same things. </p> <p>If you ask for a password, you will have to give it to some people, who will put it in their scripts, or make a password for each user, which provides multiple passwords to guess (and they'll still put it in their scripts).</p> <p>Perhaps one thing to consider is to have a no password user that can do only SELECT on appropriate tables and can only login from particular hosts, and to require passwords and other users for more sensitive functions?</p> <p>If you want to hide the password, you could always have a 2 part system. Although you can do very complicated things, XOR (bitwise exclusive or, which is in perl and most other languages) can also be your friend. It is simple for the admin and for the attacker no one piece is useful. An automated attacker might move on to more fertile ground. You can even keep one of the parts on another host and fetch it with wget or nfs or whatever. That way it could be shut off as part of a tripwire system.</p> <p>Meanwhile, maybe you need some tripwires or honeypots of sorts, so that if the bad guys come calling you can give them disinformation or even shut things off quicker. I like fail2ban for active firewalling. It can scan log files and block ip addresses that are sending you crud you dont want based on anything that is showing up in your logs. It uses regexp's and any log file to define an incident and has some flexibility in the rules engine. </p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload