Slashdot Mirror
Half a Million Database Servers 'Have no Firewall'
An anonymous reader writes "There are nearly half a million database servers exposed on the Internet, without firewall protection according to UK-based security researcher David Litchfield."
← Back to Stories (view on slashdot.org)
This isn't so suprising:
The world at large is uninterested and/or unaware of security when it comes to computers.
That's not true.
For example, you may have a stand-alone java app at multiple locations that can query the database directly, so you'd definitely open up the port.
This is just another example of "OMFG LOOK AT ME!!! I FOUND TEH SECURITY HOLE!" bullshit. Same as "your computer is broadcasting its IP address."
Not everything has to go through a bloody web server.
Their "idea" of a vulnerability was if the port was open - not if they could gain access.
Kevin Smith on Prince
I don't want to sound like a shill, but isnt this the rationale behind SOAP and such? Why leave a DB port open on the Internet. I agree that TFA may be blowing things out of proportion, but still, seems like an unnecessary risk.. at a minumum ip-filter the port.. do something other than let Joe Script-Kiddie find the port and (depending on the db software) crack your system.
I have mentioned this several times on slashdot but there is a severe lack of actual professionals in control of networks out there. I would say that there are all too many who have never even thought about security at this level, they just make sure that they have control of their users and pat themselves on their back for being able to make two servers talk across a WAN.
This all derives from the misconception that you have to be 40+ to be a seasoned professional in the business world. The IT security field is a very new one relatively, some of the best security personnel are much younger than I am but never get considered because even with 5 years experience, a degree and several certifications, they are only 24 and therefore not worthy of note. (no I am not ranting about myself, I ahve a wonderful position for someone my age, but I know many IT geeks who get passed over because of their age, although no one would ever admit it.) Get the 40 year old guy who was a sociology major and did data entry for 10 years before being asked to take over NT environments. This way you get a 'seasoned' guy because he has a few more wrinkles and that makes him a better 'fit' and definitely must make him more capable.
CS: It is all sink or swim...oh and did I mention there are sharks in that water?
A webserver needs at most three ports open, 80, for obvious reasons, 443 for https and 22 for ssh. That is it.
If you need to connect remotely to another service you do it via SSH.
Mysql is a database. Let it do databases. Let SSH do its job.
When I see people use your logic you make my jaw drop. SSH for live. EVERYTHING over ssh. ALWAYS. Full stop, end of story. No argument.
Exposing your database like this is insanity and you are asking for trouble. Mysql authentication is a joke and considering you are doing it this way, you probably have it setup wrong. Because what you are doing is wrong.
Tunnel over SSH. It is a most basic tool. Read up on it, NOW! Google: mysql tunnel ssh
Offcourse, next thing he will say is that he uses telnet for remote access, some admins would make ghandi loose his temper
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.