Slashdot Mirror
Half a Million Database Servers 'Have no Firewall'
An anonymous reader writes "There are nearly half a million database servers exposed on the Internet, without firewall protection according to UK-based security researcher David Litchfield."
← Back to Stories (view on slashdot.org)
Given the approach he took, he could have checked for PostgreSQL and MySQL as well, which are presumably much more widespread (?) than the ones he was looking for...
"If you think the problem is bad now, just wait until we've solved it." --- Arthur Kasspe
I have a LAMP server in colo which is running a fair sized community site, and I use MySQL replication for instant backup of data updates to my home workstation. I can't afford to run redundant servers at the moment, so this is a nice "poor man's backup" (not hot spare, just a relative guarantee that if the server or colo center blew up suddenly then I'd at least have a copy of the data on my home box, losing at most a millisecond or so of updates).
Since my home is on cable, there isn't any static IP address to put in the server's iptables rules, and so I need to leave the mysql port on the server open. For security I use MySQL grant tables to specify that from outside only the restricted 'replication' user can have password access. Even if someone managed to guess the password for that user, the grants say that all they can do is replicate (and then they'd have issues because they wouldn't have any initial copy of the database). Since I don't store passwords in the db at all, it's fairly secure. Sure, it's not bulletproof, but as long as you're aware of the issues and take reasonable steps, it's very possible to have a database server intentionally open to the internet.
Even better, run the replication over ssl, then nobody can sniff anything from the stream. I haven't done that yet (until recently I was running an older version that didn't support ssl) but it is on my to-do list.
Another small thing you can do is to change the port that MySQL is listening on, but haven't bothered to go that far yet - the existing security seems to have been pretty solid.
Doesn't surprise me at all. First, there'll be a lot of database servers that are "supposed" to be accessible from the net for various reasons (which is ridiculous, yes, but there you go - at least use a whitelist of good IP's or something). Secondly, even a lot of NETWORKS are left unsecured without a decent firewall to hide behind. I've seen it happen on Internet-connected networks. Reliance on Windows to not let unauthenticated computers access shares is quite common - leave the ports open and make sure the services are locked down to provide service only to authenticated users, except for public shares - and that one we couldn't get working - and the one for John who doesn't like to enter his password from outside etc. It's a whole lot easier than that "opening ports" mess - or so some would think.
Third, you have things like Windows Firewall where for some things it's just easier to run without the firewall than with it (not that I'd do it, but I've seen it happen). Even something simple like OpenVPN over Windows Firewall in udp mode (the only decent performing mode in OpenVPN) is next-to-impossible to get running properly - the time you take to make it work is better spent installing a real firewall that can do the job (even ZA "just handles it"). A lot of servers are open but "hide behind" an external or hardware firewall on which necessary ports are then just opened. I remember trying to get my last workplace to install at least Windows firewall on clients and servers alike - the exceptions were already in place, the systems worked perfectly with it turned on, but they still wouldn't do it. Fortunately, they were behind an external firewall not configured by them - however a single virus could run rampant across the client PC's in a matter of minutes.
Fourth, most people have no idea what packets their networks send out to the world, or what ports are open - and they don't care until the day they notice that someone is accessing their system, which can be years after it was first compromised.
It's quite simple. If you can see it from outside your network, so can anyone in the world. If they can see it, they can attack it (and even sometimes if they CAN'T see it but know it's likely to be there!). If they can attack it and you don't update it, you could be in serious trouble. And even if you are firewalled off to the maximum, have up-to-date patches and proper security procedures attackers can still sometimes get through, but making their life as difficult as possible is not only fun but also productive.
Some people just don't care though. It's not going to change any time soon. Viruses and attacks are so common you hear things like "yeah, my laptop had a virus on it but I can't afford the subscription so I didn't bother clearing it up - made my computer a bit slow, though". Most people are just far too casual. You can even over-do the dramatics and explain possible dire consequences in exquisite detail. People go "Oh, really." and then carry on as they always have. Unfortunately, these people then go on to make websites for their friends, install servers for that charity down the road etc. and you end up with much worse problems.
Nobody cares anymore. Anyone serious will laugh at you if you're really that stupid to leave a server open to the world. The average joe doesn't know enough to see what you're laughing at and most people want things that work and sod the consequences. If that means running as admin with no firewall in order to save them having to learn about proper security permissions etc. then that's what happens - I know that every one of my users would make themselves admin given half the chance.
Hell, even my ISP blocks internet access to you if they see you have ports 137-139 open to the Internet and they take an awful lot of flak for it. They just redirect all your web traffic to a holding page that tells users how to fix the problem until they either a) fix it or b) tell the ISP to take it off. Guess which option is used the most?
It would appear that this guy is fishing for an article... Meaning, I strongly suspect somewhere, someone is trying to sell somebody something... For example: "(Sales person to business person) Sir, did you realize how many database servers were found to lack a firewall. Here, buy my product!!"....
It kills me the number of decisions that are made at the business level by simply watching commercials or reading articles. If I have another business person ask me if they should have "SAP", I think I am going to be sick....
You have to assume all of the hardening works properly - stuff that is supposed to stay local-only, stays local-only, no issues with the operating system's and driver's general network code that will let something through anyway, no applications will open up ports you weren't aware of, etc.
Now, sure, you can say "It's open source, it's got all kinds of people looking at it, of course it is secure." But face it: people make mistakes, and the more subtle the screwup, the more people it will take to find it. Eventually there will be a screwup too subtle for all the people looking to find. Then you have potential setup errors, something was missing in the documentation or overlooked by the individual doing the install/test, etc. You now have a vulnerability. Yes, none of these mistakes *should* exist, and having a firewall *shouldn't* be used as the *primary* method of protecting your system, but extra defense is good. The more software you run, the wider the variety of operating systems you run, the more likely one of these errors is to happen. A firewall is cheap (usually), and it happens to block this kind of attack.
Yes, relying on a firewall as your only means of defense is stupid, and there is a lot it doesn't protect, but a door lock doesn't defend against all means of entrance - it doesn't mean you shouldn't lock your doors. A firewall *is* a nice backup to have in case of human error in the programming or setup of an application.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
How many of those are small, MySQL driven LAMP-3 setups -- you know, the kind that power millions of websites? Where a decent amount of care setting up Linux, Apache, MySQL, and the final P [whether that is Perl, Php or Python -- the three in the acronym above] good coding practices make the necessity of a separate firewall basically moot.
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
You're missing something here - if you leave the DB port open, you must give your application/applet the necessary credentials to log in to the database; hence you're providing those to the outside. If you use a webservice, you may have the user authenticate himself, but also you can sanity-check data before forwarding it to the database.The same argument could be made about ANY service/port, including http, ftp, etc. The premise of the article - that "port open == bad all by itself" - is junk.
If you don't take any precaution with your data, you're going to lose, no matter how many layers -- but somehow I can't find myself agreeing that giving the raw DB socket and passing all necessary authentication info to the world at large within the applet I'm sending out is a good way either. (of course, you can try and lock down the DB user so that the user within the DB can't do much damage, but you're still opening a hole through which you might also try and hack for other DB accounts with more permissions).
Anyway, not having a firewall doesn't make you unsafe automatically (as long as you have strong passwords, and everything is patched, and something like fail2ban is stopping bruteforce attempts, and you actually know what you're doing), but it wouldn't surprise me if a lot of them were set up by clueless admins.
However, they still have a use. Relying on a firewall only, is stupid, but not having one isn't terribly brilliant either.
Your post read as the extreme of "firewalls are useless and you shouldn't bother with them", which is just as bad as "firewalls are the [last|best]+ line of defense". Both tend to ignore various types of problem.
From most to least effective:
1) Educate your users
2) Harden your systems + have regular updates
3) Firewall
Depending on the situation, 1 and 2 may flip.
Funny thing is, where I'm working, the bias is against older people. "We tried a half-dozen, and they all had issues." Since then, we've gone through I don't know how many people in the 20-to-40 age bracket, but I'm still here :-)
In the last year, the bias has shifted back to the over-50 group in larger businesses, because, IF they've been in the field for a couple of decades, they're worth it, and generally don't have the "need" to get into "pissing contests" about who knows what - they've had a couple of decades to work it out of their systems, or they use slashdot to proxy their luser abuse :-)
Kevin Smith on Prince
Disable mysql external access by adding this line to /etc/my.cnf :
skip-networking
This will prevent external access to MySQL, firewall or no firewall. All access will go through Unix sockets or named pipes. Restart mysql with /etc/init.d/mysql restart For me, no other configuration was required for several mysql-consuming apps, including php custom scripts, phpbb, phorum, and sympoll.
Your reply might have prompted a reaction from me of "Hey, that's interesting, thanks for the tip". However the shrill and overly aggressive tone of it just left me cold, instead thinking "Wow, what an asshole" regardless of any actual points you might have had.
Here's a clue: You don't convince people by shouting at them, telling them they are completely, utterly, totally wrong (especially when the world really isn't as black and white as you are suggesting). I'm guessing you might the the type of person who would also try to tell me I'm completely, utterly wrong for using MySQL at all. I've long given up trying to reason with zealots.
In point of fact, your post is a good example of why I don't post all that much on slashdot or reddit any more. It seems that many people who "debate" online have given up on civilized discussion and instead jump straight to the kind of cut-throat, over-the-top, spittle-flying shouting match that typifies television "news" these days.
See, we could be talking about the technical merits of your argument, but instead you got me going on how you come across like a total dick.
Could the job be done using ssh tunneling? Probably, undoubtedly so. Does my setup work just fine for what it's doing? Absolutely, for the last eight years in fact. For me, the MySQL security model works just fine. As I said, I'll be using the SSL feature anyway as soon as I can get around to rebuilding MySQL with SSL enabled.
And incidentally, it's "lose", not "loose".
Bye now.