Help Center> Database Security Service> Best Practices> Database Protection Best Practices> Preventing Attacks
View PDF

Preventing Attacks

Structured Query Language (SQL) injection inserts malicious SQL statements into web sheets or queries requested by a domain or page, making servers run the statements. An SQL injection feature library, with context-based learned patterns and a rating mechanism, is used for database protection to comprehensively identify and block SQL injections from customers' databases in real time.

Scenario

Figure 1 shows the database attack defense architecture.

Figure 1 Attack prevention architecture

After purchasing a database protection instance, you can protect a self-built database in HUAWEI CLOUD Elastic Cloud Server (ECS) against SQL attacks. Table 1 describes the example database information.

This section describes how to perform comprehensive diagnosis on SQL injection based on the learned pattern rules you create and to block SQL injection statements in real time.

Table 1 ECS database information

Type

MySQL

Version

5.5

IP Address

192.168.1.143

Port

3306

Database Username

root

Database Password

-

Step 1: Connect a Database to the Database Protection Management System (HexaTier)

After purchasing a database protection instance, you need to connect your database to the database protection management system (HexaTier), configure a log storage path, add a protected database, and modify the configuration file on the service side. Then you can use the monitoring, data reduction, log, and database protection policy functions.

  1. Log in to the management console.
  2. Go to the database protection login page.

    Figure 2 Accessing the database protection login page

  3. Enter the login username (admin) and password. Then click Log In or press Enter, as shown in Figure 3.

    Figure 3 Database protection login page

  4. Configure a log storage path.

    To meet compliance requirements, HexaTier remotely stores logs for future audit and evidence collection. After logging in to HexaTier, you must configure the log storage location before you can enable the monitoring and data reduction functions, and view logs.

    1. Go to the page for configuring remote logs.
      Figure 4 Accessing the page for configuring remote logs
    2. On the Log Repository Configuration page, set remote log parameters.
      Figure 5 Configuring remote logs
    3. Click Test.
    4. Click Update.

  5. Add a protected database.

    To protect a database instance, connect it to HexaTier. After you add the protected database, you can configure sensitive data masking rules and enable the sensitive data discovery function on the HexaTier console.

    1. Go to the page for creating a protected database.
      Figure 6 Accessing the page for creating a protected database
    2. On the Log Repository Configuration page, set remote log parameters.
      Figure 7 Creating a protected database
    3. Click Create. The created database is displayed in the protected database list.
      Figure 8 Protected database created successfully

  6. Modify the service side configuration file.

    HexaTier proxy address and port are required if you want to make your firewall policies take effect on protected databases. In the service side configuration file, you need to set the database IP address to the floating IP address of the database protection instance used for logging in to HexaTier, and set the database port number to the proxy port of the protected database.

    Manually modify the IP address and port number of every protected database in the service side configuration file.

    1. Obtain the floating IP address 192.168.1.95 of the instance in Figure 2.
    2. Obtain the proxy address interface 3306 of the protected database in Figure 8.
    3. After you log in, specify the floating IP address of the DBSS instance and the proxy port of the protected database in the service side configuration file.

      The following takes JDBC configurations as an example.

      data.datasource.url=jdbc:mysql://192.168.1.95:3306/test
    4. Save the configuration file and restart the application.

      After the configuration is complete, log in to HexaTier, choose Dashboard > Protected Database Servers: Topology and check whether the protected database is successfully connected.

      : The connection between the service side and DBSS failed or has not been set up. If the connection failed, rectify the fault by referring to Database Protection Cannot Connect to the Target Database.

      : The protected database is connected.

Step 2: Configure a Learned Pattern Rule and a Query Pattern Group Firewall Rule

This section describes how to configure a learned pattern rule and create a database firewall rule based on a query pattern group.

  1. Configure a learned pattern rule.

    1. Go to the database security policy page, as shown in Figure 9.
      Figure 9 Accessing the database security policy page
    2. On the Create Database Security Rule page, create a learned pattern rule.
      Figure 10 Creating a learned pattern rule
    3. Click Create.
    4. Go to the learned pattern page.
      Figure 11 Accessing the learned pattern page
    5. On the Create New Query Pattern page, configure a learned pattern library, as shown in Figure 12.
      Figure 12 Creating a learned pattern library
    6. Click Create.

  2. Create a firewall rule for the query pattern group based on the result of the learned pattern library.

    1. Go to the database security policy page, as shown in Figure 13.
      Figure 13 Accessing the database security policy page
    2. On the Create Database Security Rule page, create a rule for the query pattern group based on the result of the learned pattern.
      Figure 14 Creating a firewall rule for the query pattern group
    3. Click Create.

Step 3: Configure an SQL Injection Risk Engine

  1. Go to the page for configuring the SQL injection risk engine.

    Figure 15 Accessing the page for configuring the SQL injection risk engine

  2. On the SQL Injection - Risk Engine Configuration page, set the weights of risk factors, as shown in Figure 16.

    You are advised to set their total score to 50.
    Figure 16 Configuring the SQL injection risk engine

  3. Click Save.

Step 4: Configure a Risk-based IDS Rule

The risk engine defines protection against SQL injection attacks. You can set the weights (1 to 100) of its risk factors.

  1. Go to the database security policy page, as shown in Figure 17.

    Figure 17 Accessing the database security policy page

  2. On the Create Database Security Rule page, create a risk-based IDS rule.

    Figure 18 Configuring a risk-based IDS rule

  3. Click Create.

Step 5: View Intrusion Logs

In the left navigation pane, choose Intrusion Logs to view intrusion events.

You can click an event log to view details.