Slashdot Mirror
Half a Million Database Servers 'Have no Firewall'
An anonymous reader writes "There are nearly half a million database servers exposed on the Internet, without firewall protection according to UK-based security researcher David Litchfield."
← Back to Stories (view on slashdot.org)
I thought letting the accessible through the public IP is the first step to separate Application-server and DB-server. DB-Server {internet} App-Server
no comments?
Politics is Treachery, Religion is Brainwashing
This isn't so suprising:
The world at large is uninterested and/or unaware of security when it comes to computers.
Given the approach he took, he could have checked for PostgreSQL and MySQL as well, which are presumably much more widespread (?) than the ones he was looking for...
"If you think the problem is bad now, just wait until we've solved it." --- Arthur Kasspe
My server is in county lock up for exposing itself.
Thank you; I'll be here all week.
Virginia is for lovers. EVE is for griefers.
How many of these are production systems and not just developer's toys? If production systems, how many are mission-critical?
Oh, yeah, it's not easy to pad these out to 120 characters.
My db servers are behind no firewall but they listen only on localhost or sockets ... the link between application and db is done by intermediate https layer.
What's the fuss then?
In fire we trust http://www.getoto.net
1. Because everyone knows that a firewall is the end all and be all of security.
2. How do they know they don't have a firewall and not just an open port?
3. Open port != DB server Litchfield took a look at just over 1 million randomly generated Internet Protocol [IP] addresses, checking them to see if he could access them on the IP ports reserved for Microsoft SQL Server or Oracle's database. 4. Not all DBs are huge corporate DBs. Hell some versions of MS Office install SQL on your computer.
5. Maybe some of them actually need/want to have remote people access them (and they don't know about VPNs(lolz))
6. Yeah some people should get their shit together
Did Mr. Litchfield crash his BMW and wants a new one? This just smacks of "ZOMG!!! Ur ports are open, give me ur monies and I will fix u!" His company is even linked in the fourth paragraph. Next please.
Is that all?
With no firewall, databases are exposed to hackers, putting corporate data at risk. How does he draw the conclusion that these are corporate databases? Nothing in the methodology provides this insight. I would expect that the majority of these are owned by kids and hobbiests, which would help to explain the preponderance of MS SQL servers over Oracle.
Also, the sample of 1 million is very small to be drawing these conclusions.
In short, "Nothing to see here - move along."
Yes, off-topic but... whoever keeps tagging this stories with a variation of "don't tase me bro," cut it out! What's it going to be for this story? Don't expose me bro?
Um, not quite. You missed something too:
the proper setup looks like this
{internet}
|
firewall
|
app-servers
|
db-servers
Comment removed based on user account deletion
Just because the listener is accessible on port 1521 from the outside, doesn't mean the database itself is directly available.Depending on what identification method is set up, you may have to identify yourself to the listener first using one of many ID schemes before the listener will connect you to the database itself which may be well protected behind a firewall..
I wish he had known what he was writing about before he actually wrote the damn article.
If you mod me down, I *will* introduce you to my sister!
# iptables -I INPUT 1 -dport 3306 -j DROP -- how hard can that be?
And the default combination of "root" and no password isn't as insecure as you think, because you still need to originate queries on the machine itself. You would have to get a web hosting account on the server (or find some idiot who wasn't chmod-ing uploaded files non-executable) in order to muck about. Or rather, giving each hosting customer their own database username and password and only GRANTing them permissions on their own databases is no more secure than having users use "root". Think about it; if you were running scripts on the server, then you could look in files in other people's home directories, where their database username and password would be clearly visible. There is no* workaround, either; the apache daemon has to have read access to every user's scripts, including the code used to undo any ad hoc obfuscation applied by users to passwords.
* Actually, you probably could have every user run an instance of httpd in their name, and listening on a non-privileged port which was firewalled off from the outside world. You'd then need one "master" server configured with a module which would do nothing but route incoming requests to specific ports based on hostname. I dread to think how slowly this would run.
Je fume. Tu fumes. Nous fûmes!
We don't need no education, we don't need a firewall...
-- Rastignac was here.
Give me Marcus, Bruce, or these guys any day. When is the security industry going to move on from this FUD?
Next! AG.
Well, if the database management systems were themselves securely written like web servers typically are [supposed to be], there mightn't be a problem. We've known since the late 1970s that hierarchical databases suck and relational is the way forward. But the web remains rooted in a "services show a hierarchy" paradigm. Maybe what we NEED is a "world wide virtual database". That is the vision of http://ap5.com/wwvdb.html but unfortunately it's (a) in lisp (nothing against lisp, I love it, but it still tends to scare off people) and (b) not open source, just source-available (no redistribution rights).
I don't want to sound like a shill, but isnt this the rationale behind SOAP and such? Why leave a DB port open on the Internet. I agree that TFA may be blowing things out of proportion, but still, seems like an unnecessary risk.. at a minumum ip-filter the port.. do something other than let Joe Script-Kiddie find the port and (depending on the db software) crack your system.
in a single server web/application server and database scenario for example. Where the database really only needs to communicate with the application server on loopback or localhost, the default setup probably listens on the first active IP address it finds (something is telling me that that has been the case with SQL Server for a long time, although I have to admit that I haven't installed SQL Server or Oracle of any kind for a long time either. It's then the admin's job to make it safe. I am sure that the same will apply to MySQL or Postgres although I seem to recall that the default action is to listen on localhost. It would be an interesting exercise to see if a scan fro MySQL and Postgres turned up similar results.
... how many IP addresses have their TCP port 80 opened? Maybe let's start with installing firewall on 83.138.183.169, so I don't have to waste time reading useless research.
Litchfield said that, given the amount of press generated by corporate data breaches over the past two years, it's amazing to find that there are more databases exposed than ever before.
No it isn't. Now, if there were some penalty to losing half a million identities that was borne by the database owner instead of the poor schmucks whose identities were stolen, then it would be amazing.
But when your data is stolen, I'm the one who has to pay. Why should you care? You're not paying.
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
Makes you sound like an amateur who's never used anything but Microsoft's database products. SQL is a language.
On another note...
There should be many MORE open databases online, just like there are many websites online. Then maybe this whole semantic "web" thing would've taken off years ago.
Unless you pay big bucks extra for a hardware firewall, the default setup for a Rackspace RHEL4 server has MySQL/SMTP/POP3/SSH open to the world. In fact, they recommend you keep it that way so that their monitoring software can watch your MySQL (I'd rather just bind to localhost and do my own monitoring, thankyouverymuch).
We didn't start the firewall.
I have a LAMP server in colo which is running a fair sized community site, and I use MySQL replication for instant backup of data updates to my home workstation. I can't afford to run redundant servers at the moment, so this is a nice "poor man's backup" (not hot spare, just a relative guarantee that if the server or colo center blew up suddenly then I'd at least have a copy of the data on my home box, losing at most a millisecond or so of updates).
Since my home is on cable, there isn't any static IP address to put in the server's iptables rules, and so I need to leave the mysql port on the server open. For security I use MySQL grant tables to specify that from outside only the restricted 'replication' user can have password access. Even if someone managed to guess the password for that user, the grants say that all they can do is replicate (and then they'd have issues because they wouldn't have any initial copy of the database). Since I don't store passwords in the db at all, it's fairly secure. Sure, it's not bulletproof, but as long as you're aware of the issues and take reasonable steps, it's very possible to have a database server intentionally open to the internet.
Even better, run the replication over ssl, then nobody can sniff anything from the stream. I haven't done that yet (until recently I was running an older version that didn't support ssl) but it is on my to-do list.
Another small thing you can do is to change the port that MySQL is listening on, but haven't bothered to go that far yet - the existing security seems to have been pretty solid.
Doesn't surprise me at all. First, there'll be a lot of database servers that are "supposed" to be accessible from the net for various reasons (which is ridiculous, yes, but there you go - at least use a whitelist of good IP's or something). Secondly, even a lot of NETWORKS are left unsecured without a decent firewall to hide behind. I've seen it happen on Internet-connected networks. Reliance on Windows to not let unauthenticated computers access shares is quite common - leave the ports open and make sure the services are locked down to provide service only to authenticated users, except for public shares - and that one we couldn't get working - and the one for John who doesn't like to enter his password from outside etc. It's a whole lot easier than that "opening ports" mess - or so some would think.
Third, you have things like Windows Firewall where for some things it's just easier to run without the firewall than with it (not that I'd do it, but I've seen it happen). Even something simple like OpenVPN over Windows Firewall in udp mode (the only decent performing mode in OpenVPN) is next-to-impossible to get running properly - the time you take to make it work is better spent installing a real firewall that can do the job (even ZA "just handles it"). A lot of servers are open but "hide behind" an external or hardware firewall on which necessary ports are then just opened. I remember trying to get my last workplace to install at least Windows firewall on clients and servers alike - the exceptions were already in place, the systems worked perfectly with it turned on, but they still wouldn't do it. Fortunately, they were behind an external firewall not configured by them - however a single virus could run rampant across the client PC's in a matter of minutes.
Fourth, most people have no idea what packets their networks send out to the world, or what ports are open - and they don't care until the day they notice that someone is accessing their system, which can be years after it was first compromised.
It's quite simple. If you can see it from outside your network, so can anyone in the world. If they can see it, they can attack it (and even sometimes if they CAN'T see it but know it's likely to be there!). If they can attack it and you don't update it, you could be in serious trouble. And even if you are firewalled off to the maximum, have up-to-date patches and proper security procedures attackers can still sometimes get through, but making their life as difficult as possible is not only fun but also productive.
Some people just don't care though. It's not going to change any time soon. Viruses and attacks are so common you hear things like "yeah, my laptop had a virus on it but I can't afford the subscription so I didn't bother clearing it up - made my computer a bit slow, though". Most people are just far too casual. You can even over-do the dramatics and explain possible dire consequences in exquisite detail. People go "Oh, really." and then carry on as they always have. Unfortunately, these people then go on to make websites for their friends, install servers for that charity down the road etc. and you end up with much worse problems.
Nobody cares anymore. Anyone serious will laugh at you if you're really that stupid to leave a server open to the world. The average joe doesn't know enough to see what you're laughing at and most people want things that work and sod the consequences. If that means running as admin with no firewall in order to save them having to learn about proper security permissions etc. then that's what happens - I know that every one of my users would make themselves admin given half the chance.
Hell, even my ISP blocks internet access to you if they see you have ports 137-139 open to the Internet and they take an awful lot of flak for it. They just redirect all your web traffic to a holding page that tells users how to fix the problem until they either a) fix it or b) tell the ISP to take it off. Guess which option is used the most?
I saw David at the Information Security Decision conference in Chicago last week. He presented his findings there...he seemed quite geeked about it. I thought he might cream himself on stage he was so excited.
That's nothing; while cleaning up a hacked windows server today, I happened across the IPs for a pair of Lexmark color laser printers. A little bit of digging later, I found they were wide open, sitting in the business centers at a couple of hotels in Washington DC.
:-) Might encourage them to secure things a little.
My flatmate had great fun printing 40 pages of LOLCats transcontinental!
Next phase is to code up a genuine bit bucket: you pipe the bits in, they emerge goodness-knows-where from some poor sods randomly chosen printer
Of course there are many, many un-firewalled database servers on the internet - for all the reasons that have been stated in other comments it is frequently necessary to do so. However, the article does not point out if any other security techniques are in place at all with all the supposedly exposed databases.
Now, if the headline was "Half a Million Database Servers Left Configured With No Firewall, No Client Restriction, Default Root Credentials, and Listening on Default Ports" - then you have my attention.
Course, the sad fact is that my headline is probably just as likely to be true as the article headline, when you consider all the installs of databases other than SQLServer and Oracle (mysql, postgres, etc).
-- Kimball Larsen
http://www.kimballlarsen.com/
SQL 2000 had MSDE, SQL 2005 it's Express Edition and i don't remember Oracle's name for it. Some desktop apps need a dumbed down database to write to and MS and Oracle let you distribute it for free as part of their app.
pretty sure most of these are just the lite versions of these databases on people's desktops or laptops while they are on broadband. a lot of devs also have dev versions of db servers. SQL 2005 Dev edition is basically the enterprise edition that lets you install it on XP and no limits other than a license
Either this is the usual clueless researcher or a firewall vendor. Apparantly the real news is that half a million database servers are running some sort of Unix and are connected to the internet...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
My bad, I should have said "install an SQL server" or maybe if I wanted to be really accurate "Microsoft SQL Server Desktop Engine", I was lazy. Yes I know SQL is a language used by a wide range of products, including a swath of OSS offerings. Now put your geek-peen back in your pants. d:
On and before anyone grammar nazi's me (among other things) that should be "installs a SQL server".
How many of those are small, MySQL driven LAMP-3 setups -- you know, the kind that power millions of websites? Where a decent amount of care setting up Linux, Apache, MySQL, and the final P [whether that is Perl, Php or Python -- the three in the acronym above] good coding practices make the necessity of a separate firewall basically moot.
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
The firewall should be one of the first lines of defense. If that gets circumvented, you got all these other layers of defense in there. The firewall isn't the be all answer to security, it's a part of the complete armor.
We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
Oracle recommends that you disable features such as iptables firewalls and SElinux, or else your database probably won't work. Stupid system administrators take it to the next level and leave it outside a physical firewall so that vendors/partners can access it. Authentication is usually done on an unsecured port 1521, where the username/password is sent in clear text. Very few sites even know how to enable encrypted database traffic on Oracle.
Oracle is mostly to blame with their idiotic processes that need rlogin access as root. Even though your Oracle database is running as user "oracle", it still needs to rlogin to itself as root every 2 seconds to run some unknown commands. The only way to secure an Oracle server is to completely firewall it off from the outside world and only let the application server talk to it.
Disclaimer: I'm a Linux sysadmin that builds Oracle database servers all day.
"When the president does it, that means it's not illegal." - Richard M. Nixon
Most C programmers don't bother to check the return of system calls like printf()
Most things shouldn't be written in C.
Don't know if printf() was the best example, but this is really the reason you want a language that throws exceptions when things go wrong. That either forces programmers to write error handling code (if the compiler requires you to catch a certain exception), or gives the runtime a chance to present a stack trace when an exception is thrown.
Instant maintainability improvement.
Installed the Bubblemon yet?
Personally, I would rather have my webserver, which is designed to be publicly available, and quite easy to secure, available - vs. WormBait such as MSSQL. I can't think of one good reason to have your DB Server port open to the inet. Need to link it to a remote server? VPN... The argument about the only secure system being completly disconnected is true, but doesnt apply here. The point is there is something that the person managing the server want to make available, so there is inherent risk... the point is to take the "best" method to do that. The article is so much FUD, but doesnt excuse having the db port open to the inet.
The IP addresses in the experiment were randomly created.
This means that their test could have hit some old woman's PC who happened to be dialled up over her phone line at the time, and using the IP address assigned to her by her ISP.
If she doesn't have a firewall, then of course the Oracle port could be open. Is this a security risk? Well if she only uses her computer for email then no.
Was an Oracle DB with customer's credit card details exposed to the world? Absolutely not!
America, Home of the Brave.
the current state of things is not good... But its because money got involved. Where there is money, you can usually find corruption... All of a sudden people start breaking things with financial incentive (botnets, spam, etc) and it became a jumbled mess.
Links please. thx
Let's read the article and see what that headline really means.
He found open ports on just over 200 servers, which correspond to the ports used by two popular database servers. That's all. The article doesn't say that he actually connected to them, confirmed that there were real databases running there, or even identified the owners. He found two hundred open ports out of a million randomly chosen addresses on the Internet. But "0.02% of Internet Connected Computers May Or May Not Be Running Database Software" just isn't the kind of headline that grabs attention.
Unless there is a lot more detail, preferably from someone who isn't in the business of selling firewalls for databases, then you'll have to forgive me for not being terribly concerned about this revelation.
Why on earth should a database server need a firewall? Last time I looked, DBMSes required a login with a username and password before giving any access. I hope that the days of default passwords like scott/tiger are long gone, and if not, you should get a more secure database rather than masking the problem with a firewall (which does nothing to protect against internal attacks).
Hopefully the DBMS supports SSL or other encrypted connections so outsiders can't eavesdrop or hijack sessions.
-- Ed Avis ed@membled.com
Why would a development system be any less likely to facilitate the spread of a worm than a production one? Other than the reduced risk of a negative data breach, what's the difference?
But furthermore, how many of those development servers contain slightly-stale copies of "real" production data?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
A webserver needs at most three ports open, 80, for obvious reasons, 443 for https and 22 for ssh. That is it.
If you need to connect remotely to another service you do it via SSH.
Mysql is a database. Let it do databases. Let SSH do its job.
When I see people use your logic you make my jaw drop. SSH for live. EVERYTHING over ssh. ALWAYS. Full stop, end of story. No argument.
Exposing your database like this is insanity and you are asking for trouble. Mysql authentication is a joke and considering you are doing it this way, you probably have it setup wrong. Because what you are doing is wrong.
Tunnel over SSH. It is a most basic tool. Read up on it, NOW! Google: mysql tunnel ssh
Offcourse, next thing he will say is that he uses telnet for remote access, some admins would make ghandi loose his temper
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
The problem isn't remembering to change the 'sa' account password, or using an encrypted connection. It's the possibility of exploits that don't require account access at all. Hidden backdoors, DOS attacks by flooding the port with connection requests, even deliberately sending bad packets that take down the server. That's why you want the minimum necessary exposure for servers even if you have strong access controls within the application.
That said, I agree with everyone who says that you should also set up good security on the database server. E.g., the accounts with remote access may be limited to read-only views with stored procedures to create/modify records. This limits the damage even if somebody manages to get remote access since they can't just truncate tables or do blanket updates -- they have to trigger the correct stored procedures.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
If your application follows the n-tier or MVC architectures, there's no reason for your database server to be exposed in the first place. No database should ever be accessible directly from the Internet..ever. If you feel differently, then you probably need to reevaluate your design strategy.
Why a firewall anyway? Why not just have computers that don't respond to ports where authorized programs aren't listening?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I thought you use "an" when the following word begins with a vowel sound. So "an SQL..." would be correct. You would use "a" for following words that begin with an actual vowel, but do not have a vowel sound: "a Unicycle".
The headline should read: Half a Million 'Database Servers' Have no Firewall.
Lets be honest here, only small percentage of those computers are actually servers, and of those that are - many have port 1433 port open for something other than database.
You install microsoft visual studio express, get SQL express to go along with it and because you don't have that stupid MS firewall enabled you automatically fall into beforementioned group. Newsflash, not every computer on internet is a server. And not every installation of SQL database has any data in it to live up to it's name.
"There are approximately 368,000 Microsoft SQl Servers... and about 124,000 Oracle database servers directly accessible on the Internet" Any DBA worth his salt KNOWS how to secure a SQL server without a firewall. Its not like 'sa' was left with a blank password and remote access enabled on these, its just an open port. One of our DB servers has port 1433 open to the WAN (it was that or a site to site VPN), it is perfectly secure, even if it wasn't a complete muppet could secure a default SQL Server install. Buy get this! I've found literally millions of servers with port 80 open to the WAN! I gather it's used for an rather obscure protocol called HTTP. If I take a random sample of 1000 HTTP and SQL servers, I'll bet I'd get more webservers I could break into than SQL Servers (simply because there are many more attack vectors for HTTP, insecure scripts etc). This article draws attentions to absolutely fuck all. David Litchfield is a well respected security researcher, I don't know why he see's this as such a big issue, that is, unless he's sitting on a 0day remote SQL server exploit, but I won't hold my breath.
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
I can't believe I'm reading so many "why do I need a firewall on an Internet-connected database server" comments above.
Yes, the article looks like just a press release based on dubious extrapolation of data, but it doesn't mean that it's OK to have your company's application servers around the world capable of being accessed by anyone else around the world. If you trust Oracle, IBM, Microsoft or whoever else to write bug-free code you're a braver man than I.
Theoretically - there's nothing wrong with that. DB server is just another TCP server and most of those have their own security layer (user/pass etc) built-in. If not for bugs and exploits, and provided that you change default passwords, it's pretty OK.
If for whatever reason you want remote access to the DB server, you need to allow access on that port anyway. So if the DB is the only service on that server, a firewall is superflous.
I don't think you've made that any less likely with that post...
Did you ever consider that it's exactly this kind of laziness which microsoft is counting on, when it uses generic names like "SQL Server" and "Windows" and "Word" for it's products? Your laziness makes you the puppet of a corporation which does harm on a daily basis, and yet you insult the people who simply point out the issue to you, trying to help you out. And I was trying to help you out, if you read my comment again.
body massage!
Back when I was managing several MySQL servers I was horrified to learn that the original setup used localodbc/localodbc for the database passwords for pretty much everything. In fact it had universal access to ALL databases with S,I,U,D! And they depended on an ancient SonicWall firewall to protect them.
Did an inventory of all databases and then went out and found out who did what to those databases. Created individual logins with express rights (Select, Insert, Update, Delete). Web apps if they were lookup only just got Select, whereas those who wrote would get Select, Insert.
We also blocked port 3306 on our Pix firewall. Good luck hitting those MySQL boxes. Servers have separete networks for internal and external traffic so web servers can communicate with database servers but people outside can only see the web server.
The scanning method he used is not conclusive that all of the "hits" were vulnerable db servers. Also he only scanned for MSSQL and Oracle, What of Sybase, MySQL, PostGres, DB2, and all manner of other systems? MySQL has had a remote vuln in the past - I'm sure somewhere on the inet there are vuln versions running. I cant speak of the others. The bottom line is that his "research" misses a significant portion of whats running out there. How do you not add MySQL, when LAMP is a pretty prominent application foundation. I also dont see anything conclusive in TFA to show that it was more than verifying the port was open - how does he even know its actually the database running there? He specifically states that corporate data is at risk, but he randomly chose IP ranges, would it not make more sense to randomly chose IP ranges from those known to be corporate networks? (info is available - ARIN, RIPE, APNIC, etc). Without a more rigorous study the article is most definitely FUD, as you cant definitively draw any conclusions from the results. What the article does do, is causes a good discussion about why people should be more security-aware.
unpatched versions of MSSQL. I am sure that all the shops apply all MS patches and update their software regularly according the MS Product Cycle. :End Sarcasm
Oracle security is a direct function of the DBA/SA's skill
I guess you could say the same for MSSQL, but this is slashdot, whats the fun in that?
His maths is screwed
...' sense).
>> Litchfield then relied on known estimates of the number of systems on the Internet to arrive at his conclusion:
Why did he do this? To get to the numbers he got to he would have to assume that 69% of the available inet addresses are in use (2.3 billion addresses). i.e. 368,000/157 = 2344 - each of his 1,000,000 addresses represents 2,344 other addresses giving 2.3 billion
Unless he knew otherwise he would also have to assume that only 69% of the address you valid (obviously you would have no idea unless you got the information from the owners or the net block owners), making that step unnecessary. The other explanation is he assumed 100% of his IP address are valid, which reduces his figure by 31% (from 655,000 to 500,000) - obviously there is no reason he would do that.
This leads me to believe that he must have some how ascertained that 100% of his generated IP address were valid e.g. by pinging them. The fact that could get a response from them means that he ignored all the well secured machines that would give no response to a ping.
This 'reputed' expert may know a little about security. I don't think he knows a thing about statistics (except in the 'lies, damned lies &
Yeah I should have realized it was pointless and just hoped no one noticed. Looks like I might have been in the clear anyway. [shrug]
and no definitely not new to the game.. but security didnt become the big scare tactic that it is today until money got involved. Noone could possibly do double-digit time for port-scanning and things of that nature before Internet == Commerce. When big money got involved, all of a sudden there were financial transactions, billions of dollars of them, going on, online every day. And all I was saying is with the money comes the scrutiny (and the crooks).
From 1 million random IP addresses. "He found 157 SQL servers and 53 Oracle servers. Litchfield then relied on known estimates of the number of systems on the Internet to arrive at his conclusion".
Results are only valid within the scope of the 1 million random IP addresses. Extrapolating out is a very poor assumption for a researcher to make. Within the data set, approximately 0.021% of those IP addresses had an SQL or Oracle server that is Internet facing.
Part II, and the real research, would seek to determine how many of those IP addresses HAD database servers that were NOT Internet facing. (E.g. Otherwise, we all well know the average human has approximately one testicle and one ovary).
I'm sorry if you thought I was insulting you, that was not my intent. If you took offense please accept my apology. You'll note the "d:" at the end of the post indicating I'm joking about the geek-peen thing.
What random blocks were dipped into? What % were dynamic and what % were static? What % of the hosts scanned were 'fake' computers, honeypots? How can you tell if a server isn't behind a firewall that 'looks' just like another server? A lot of people, myself included, use loads of honeypots to confound hackers. For each REAL service I may have 2 or 3 honypots. I have a mail server that reports itself as no fewer than 5 different types of mail servers, and it's not even a real mail server, just something for the script kiddies to bounce off. Same with www, sometimes it's an Apache server, sometimes it's an IIS server, sometimes it's an Apple, sometimes it's a Sun. Knowing how much deception I place in my own network I wouldn't be surprised to find that half of the 'stats' dude has gathered (using what? nmap? eeye? who knows?) are just honeypots. And No, I don't keep the ports up to date on the fake machines, they are there to waste the time of, and identify, a would be hacker.
Disable mysql external access by adding this line to /etc/my.cnf :
skip-networking
This will prevent external access to MySQL, firewall or no firewall. All access will go through Unix sockets or named pipes. Restart mysql with /etc/init.d/mysql restart For me, no other configuration was required for several mysql-consuming apps, including php custom scripts, phpbb, phorum, and sympoll.
Until they rank OSS databases on TPC-C alongside Oracle, DB2, MSSQL and Sybase, it isn't a valid comparison. But of course, many of the commercial RDBMS vendors have a clause in their license agreement forbidding you to publish benchmarks, so it makes sense that their chosen publicists (the TPPC) don't publish price/performance data for OSS servers ; when the bulk of the cost of your server is the per-CPU DB license, it can really make your price / performance ration look inadequate going up against free software.
Yes, MSSQL is still a real database.
This is article is pointless. Presuming that because a database exists, that it means there's meaningful data at risk is irrational. How many unfirewalled Excel spreadsheets are on the Internet? I submit that 499,990 of the half million databases at risk have no meaningful purpose (or data). Databases are just that easy to spin up.
"There are nearly half a million database servers exposed on the Internet, without firewall protection according to UK-based security researcher David Litchfield."
What?! Sheesh, now I suppose you're going to tell me that I cannot have a Windows box without virus / spyware / firewa &^%@@***Mh^^
NO CARRIER
"I bow to no man" - Riddick
An extra layer of security doesn't hurt, especially against the bugs we don't know about yet - most bugs/security flaws weren't know about/understood prior to being fixed, and prior to fixing, they could have been exposed.
I disagree. Why should I have to create an access control/permissions system when any proper database includes one? If the database's permissions system and security model fails over and over again, why continue using it? Wouldn't it make more sense to blame the vendor and change databases rather than blame the IT staff and patch the hole with a bandaid solution like a firewall?
In true PHB style though, firewalls are standard procedure. All firewalls effectively do is force all your traffic through some ridiculous port 80 xml-rpc/soap solution written in house that is going to be slower and just as prone to security holes, if not moreso. The only reason it seems secure is because it isn't a "standard" entryway that script kiddies are attacking. Security through obscurity is not security.
All you really have is a false sense of security until you're pWn3d by a dedicated attacker. In the meantime, you've ruined the efficiency of the network because applications that might have been able to listen for updates must resort to constant polling instead. You bandwidth needs explode as a result and that costs you lots of money.
Comment removed based on user account deletion
Having talked about databases with co-workers and friends enough, I would say that anyone even semi-professional understands by context that "SQL Server" refers to MSSQL specifically (actually, I've heard some people just refer to it as Sybase, but that's another issue). The only place I've had any ambiguouity was with one friend who was a new Windows admin, and didn't really understand the concept of SQL itself yet. So i guess... yes, you are correct; the generic names add some confusion. But it's nothing to get your panties in a bunch about, because it naturally weeds itself out as skill level increases.
Anyways, I'm a fan of straightforward names. I'd rather they call it "SQL Server" than something gimmicky like "RaptorServ". One of those is an accurate description of the role the product fills; another is... acceptable as a codename for a product, but certainly not for an end product. I've seen blogs where Visual Studio developers refer to Orcas, and before I knew that Orcas meant "Visual Studio 2008 development", I was completely lost.
Well I guess we'll have to agree to differ on that then.
Its the best indicator that "the smell of death" has attached itself to a project|company|whatever.
Kevin Smith on Prince