Force memsql to listen in localhost only

kyz · August 26, 2019, 6:44am

So, i don’t know why, no ssh breaking attempt, but memsql database wiped out
but since it’s only demo project, i don’t create a backup script and data lost is not a problem.
there’s a PLEASE_READ_ME_VVV database in the memsql localhost cluster, and there’s WARNING table contains:

| id | warning                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Bitcoin_Address                    | Email              |
|  1 | To recover your lost Database send 0.03 Bitcoin (BTC) to our Bitcoin address 1756fmLS26s7yNBFeaqfbgXoRcieuA9xox and contact us by Email with your Server IP or Domai
n name and a Proof of Payment. Your Database is downloaded and backed up on our servers. Backups that we have right now: cluster, memsql. Any email without your server IP
Address or Domain Name and a Proof of Payment together will be ignored. If we dont receive your payment in the next 10 Days, we will delete your backup. | 1756fmLS26s7yNBF
eaqfbgXoRcieuA9xox | dbackups2019@pm.me |

The question is, I used cluster in a box configuration, but netstat shown that the memsql server still listen in all address (which probably causes the hack)

tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      831/memsqld         
tcp        0      0 0.0.0.0:3307            0.0.0.0:*               LISTEN      829/memsqld

from the log, there’s bunch of bruteforce attempt from various ip addresses:

3232702503326 2019-08-22 16:48:21.533  ERROR: ProcessHandshakeResponsePacket() failed. Sending back 1045: Access denied for user 'root'@'88.214.26.17' (using password: YES
)

from the full log, it shown that the attacker managed to guess memsql default password (which i don’t know what it is…) then drop the database (no queries that looks it backing up the database first).

how to make memsql listen only in localhost? and why cluster-in-a-box doesn’t listen to localhost only by default?

david · August 26, 2019, 4:12pm

Did you use the memsql/cluster-in-a-box Docker image? This Docker image configures a root user without a password. The memsql/cluster-in-a-box Docker image is only recommended for quick prototypes and testing against MemSQL (and not recommended for production use cases). For production use cases, you should install MemSQL in a way where you can lock down the root user with a secure password.

kyz · August 26, 2019, 10:45pm

no, not a docker image.

jack · August 28, 2019, 8:35pm

I’m sorry to hear that you experienced this. It seems like no actual data was present in the cluster - the databases mentioned are cluster and memsql which are both internal databases which store MemSQL metadata. Since no data was lost, the simplest way to proceed is to delete and reinstall the cluster. If you had data, you could also restore a backup onto the new cluster.

The cluster-in-a-box installation configures a default root user without a password. (However, note that the non-cluster-in-a-box installation does require configuring a password during the installation with the --password option.) You should configure a password by following the instructions on SingleStoreDB Cloud · SingleStore Documentation. Did you install MemSQL with memsql-deploy cluster-in-a-box? If so, then configure a root password by running:


memsql-admin change-root-password --all --yes --password <secure_password>

We strongly recommend configuring your firewall to restrict which hosts can access MemSQL. For some examples, see SingleStoreDB Cloud · SingleStore Documentation. In addition, you can configure the MemSQL user accounts to accept connections from specific hosts: for example, for a cluster-in-a-box configuration where you only wish to accept connections from localhost, replace the user 'root'@'%' with 'root'@'localhost' on each node by running:


GRANT ALL ON *.* TO 'root'@'localhost' IDENTIFIED BY 'secure_password';

DROP USER 'root'@'%';

on each node. The password should be the same password as you previously set.

I will also add that we have been changing the installation defaults to be more secure by default. The non-cluster-in-a-box installation requires configuring a password during the installation; we are also planning on changing the cluster-in-a-box installation to require this as well.