Defending Against Attacks
Several fairly straightforward defensive measures exist that you can take against all of the attacks mentioned in this chapter. Most of these points are covered in further detail in Chapter 16, “Securing Sybase,” but for now, here is a brief overview:
- Ensure that your server is patched up-to-date.
- Protect your Sybase servers with firewalls.
- Have a stringent firewall ruleset that filters outbound traffic as well as inbound traffic. Depending on your configuration there may be no need for the Sybase server to ever initiate an outbound TCP connection, or send any UDP traffic.
- Apply a firewall ruleset on the Sybase server itself; for example, if you are using Linux, use IPTables. The IPSec mechanism in Windows server platforms also affords some measure of protection.
- Never permit a web application to connect to the Sybase server as an administrative account (sa or sso_role).
- If possible, use an alternative authentication method. The “standard” authentication mode is not sufficient.
- If you are not using Java, don't enable it. In fact, deliberately removing some Java components might be a good idea.
- Similarly, if you are not using external filesystem access, don't enable it.
- If possible, run Sybase as a low-privileged user.
- Apply appropriate filesystem permissions, to ensure that even if users were able to compromise the Sybase database, they would not be able to gain administrative control over the server itself.
- Ensure that access to xp_cmdshell is appropriately ...
Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
