Half a Million Database Servers 'Have no Firewall'

An anonymous reader writes "There are nearly half a million database servers exposed on the Internet, without firewall protection according to UK-based security researcher David Litchfield."

Re:Have i missed something?

[trolltalk.com]

That's not true.

For example, you may have a stand-alone java app at multiple locations that can query the database directly, so you'd definitely open up the port.

This is just another example of "OMFG LOOK AT ME!!! I FOUND TEH SECURITY HOLE!" bullshit. Same as "your computer is broadcasting its IP address."

Not everything has to go through a bloody web server.

Their "idea" of a vulnerability was if the port was open - not if they could gain access.

Web Services?

[keirre23hu]

I don't want to sound like a shill, but isnt this the rationale behind SOAP and such? Why leave a DB port open on the Internet. I agree that TFA may be blowing things out of proportion, but still, seems like an unnecessary risk.. at a minumum ip-filter the port.. do something other than let Joe Script-Kiddie find the port and (depending on the db software) crack your system.

Re:Have i missed something?

[COMON$]

Well even if you are not handling requests through a web server, which there are some cases where this is the best option. You should do some IP restriction. In the cases where I have set up a SQL server with a port open, I restrict access to that port by only allowing MY ips to hit it. Even then just the IPs that need access, don't go overboard and allow every IP you have get to it.

I have mentioned this several times on slashdot but there is a severe lack of actual professionals in control of networks out there. I would say that there are all too many who have never even thought about security at this level, they just make sure that they have control of their users and pat themselves on their back for being able to make two servers talk across a WAN.

This all derives from the misconception that you have to be 40+ to be a seasoned professional in the business world. The IT security field is a very new one relatively, some of the best security personnel are much younger than I am but never get considered because even with 5 years experience, a degree and several certifications, they are only 24 and therefore not worthy of note. (no I am not ranting about myself, I ahve a wonderful position for someone my age, but I know many IT geeks who get passed over because of their age, although no one would ever admit it.) Get the 40 year old guy who was a sociology major and did data entry for 10 years before being asked to take over NT environments. This way you get a 'seasoned' guy because he has a few more wrinkles and that makes him a better 'fit' and definitely must make him more capable.