Slashdot Mirror
Half a Million Database Servers 'Have no Firewall'
An anonymous reader writes "There are nearly half a million database servers exposed on the Internet, without firewall protection according to UK-based security researcher David Litchfield."
← Back to Stories (view on slashdot.org)
I thought letting the accessible through the public IP is the first step to separate Application-server and DB-server. DB-Server {internet} App-Server
This isn't so suprising:
The world at large is uninterested and/or unaware of security when it comes to computers.
Given the approach he took, he could have checked for PostgreSQL and MySQL as well, which are presumably much more widespread (?) than the ones he was looking for...
"If you think the problem is bad now, just wait until we've solved it." --- Arthur Kasspe
Well this is quite simple and not really all that mysterious.
If you secure your server correctly in the first place.
Close up, secure and encrypt ports that consume passwords and serve data.
You don't have a problem! Within reason of course.
I that gets breached, a firewall won't protect you from an attack either.
Du...
I wonder how many people know that firewalls don't actually do anything.
Accept keep useless network fanboys employed.
1. Because everyone knows that a firewall is the end all and be all of security.
2. How do they know they don't have a firewall and not just an open port?
3. Open port != DB server Litchfield took a look at just over 1 million randomly generated Internet Protocol [IP] addresses, checking them to see if he could access them on the IP ports reserved for Microsoft SQL Server or Oracle's database. 4. Not all DBs are huge corporate DBs. Hell some versions of MS Office install SQL on your computer.
5. Maybe some of them actually need/want to have remote people access them (and they don't know about VPNs(lolz))
6. Yeah some people should get their shit together
Did Mr. Litchfield crash his BMW and wants a new one? This just smacks of "ZOMG!!! Ur ports are open, give me ur monies and I will fix u!" His company is even linked in the fourth paragraph. Next please.
With no firewall, databases are exposed to hackers, putting corporate data at risk. How does he draw the conclusion that these are corporate databases? Nothing in the methodology provides this insight. I would expect that the majority of these are owned by kids and hobbiests, which would help to explain the preponderance of MS SQL servers over Oracle.
Also, the sample of 1 million is very small to be drawing these conclusions.
In short, "Nothing to see here - move along."
Um, not quite. You missed something too:
the proper setup looks like this
{internet}
|
firewall
|
app-servers
|
db-servers
Thank you. It's about time someone else realized this.
Firewalls are good for:
- Helping to limit access to services which don't have built in access limits (think tcp-wrappers++)
- Helping to protect a pile of machines over which you have little to no control (a bunch of desktops in the office, for example).
When talking about servers, if you sufficiently harden your machine, a firewall does very little, especially if the service being compromised is one which the firewall allows pretty much anyone access to...
Just because the listener is accessible on port 1521 from the outside, doesn't mean the database itself is directly available.Depending on what identification method is set up, you may have to identify yourself to the listener first using one of many ID schemes before the listener will connect you to the database itself which may be well protected behind a firewall..
I wish he had known what he was writing about before he actually wrote the damn article.
If you mod me down, I *will* introduce you to my sister!
# iptables -I INPUT 1 -dport 3306 -j DROP -- how hard can that be?
And the default combination of "root" and no password isn't as insecure as you think, because you still need to originate queries on the machine itself. You would have to get a web hosting account on the server (or find some idiot who wasn't chmod-ing uploaded files non-executable) in order to muck about. Or rather, giving each hosting customer their own database username and password and only GRANTing them permissions on their own databases is no more secure than having users use "root". Think about it; if you were running scripts on the server, then you could look in files in other people's home directories, where their database username and password would be clearly visible. There is no* workaround, either; the apache daemon has to have read access to every user's scripts, including the code used to undo any ad hoc obfuscation applied by users to passwords.
* Actually, you probably could have every user run an instance of httpd in their name, and listening on a non-privileged port which was firewalled off from the outside world. You'd then need one "master" server configured with a module which would do nothing but route incoming requests to specific ports based on hostname. I dread to think how slowly this would run.
Je fume. Tu fumes. Nous fûmes!
I don't want to sound like a shill, but isnt this the rationale behind SOAP and such? Why leave a DB port open on the Internet. I agree that TFA may be blowing things out of proportion, but still, seems like an unnecessary risk.. at a minumum ip-filter the port.. do something other than let Joe Script-Kiddie find the port and (depending on the db software) crack your system.
But that assumes that everything is programmed properly and infailable.
To be human is to err, and every Application/OS I've seen is programmed by humans. An extra layer of security doesn't hurt, especially against the bugs we don't know about yet - most bugs/security flaws weren't know about/understood prior to being fixed, and prior to fixing, they could have been exposed.
Also, consider that you might have a server with several ports open, some which by nature must be intranet only, others which must be intertnet also. In these cases a firewall helps keep things safe.
Yes, there are ideals on how things should be done, and in an ideal world, a firewall would not be necessary because (a) all the software would be programmed to be impenetrable by external network attacks, and (b) nobody would attack you anyway.
However, only the delusional live in an ideal world. And even then, only they know it...
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
... how many IP addresses have their TCP port 80 opened? Maybe let's start with installing firewall on 83.138.183.169, so I don't have to waste time reading useless research.
Litchfield said that, given the amount of press generated by corporate data breaches over the past two years, it's amazing to find that there are more databases exposed than ever before.
No it isn't. Now, if there were some penalty to losing half a million identities that was borne by the database owner instead of the poor schmucks whose identities were stolen, then it would be amazing.
But when your data is stolen, I'm the one who has to pay. Why should you care? You're not paying.
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
I have a LAMP server in colo which is running a fair sized community site, and I use MySQL replication for instant backup of data updates to my home workstation. I can't afford to run redundant servers at the moment, so this is a nice "poor man's backup" (not hot spare, just a relative guarantee that if the server or colo center blew up suddenly then I'd at least have a copy of the data on my home box, losing at most a millisecond or so of updates).
Since my home is on cable, there isn't any static IP address to put in the server's iptables rules, and so I need to leave the mysql port on the server open. For security I use MySQL grant tables to specify that from outside only the restricted 'replication' user can have password access. Even if someone managed to guess the password for that user, the grants say that all they can do is replicate (and then they'd have issues because they wouldn't have any initial copy of the database). Since I don't store passwords in the db at all, it's fairly secure. Sure, it's not bulletproof, but as long as you're aware of the issues and take reasonable steps, it's very possible to have a database server intentionally open to the internet.
Even better, run the replication over ssl, then nobody can sniff anything from the stream. I haven't done that yet (until recently I was running an older version that didn't support ssl) but it is on my to-do list.
Another small thing you can do is to change the port that MySQL is listening on, but haven't bothered to go that far yet - the existing security seems to have been pretty solid.
Doesn't surprise me at all. First, there'll be a lot of database servers that are "supposed" to be accessible from the net for various reasons (which is ridiculous, yes, but there you go - at least use a whitelist of good IP's or something). Secondly, even a lot of NETWORKS are left unsecured without a decent firewall to hide behind. I've seen it happen on Internet-connected networks. Reliance on Windows to not let unauthenticated computers access shares is quite common - leave the ports open and make sure the services are locked down to provide service only to authenticated users, except for public shares - and that one we couldn't get working - and the one for John who doesn't like to enter his password from outside etc. It's a whole lot easier than that "opening ports" mess - or so some would think.
Third, you have things like Windows Firewall where for some things it's just easier to run without the firewall than with it (not that I'd do it, but I've seen it happen). Even something simple like OpenVPN over Windows Firewall in udp mode (the only decent performing mode in OpenVPN) is next-to-impossible to get running properly - the time you take to make it work is better spent installing a real firewall that can do the job (even ZA "just handles it"). A lot of servers are open but "hide behind" an external or hardware firewall on which necessary ports are then just opened. I remember trying to get my last workplace to install at least Windows firewall on clients and servers alike - the exceptions were already in place, the systems worked perfectly with it turned on, but they still wouldn't do it. Fortunately, they were behind an external firewall not configured by them - however a single virus could run rampant across the client PC's in a matter of minutes.
Fourth, most people have no idea what packets their networks send out to the world, or what ports are open - and they don't care until the day they notice that someone is accessing their system, which can be years after it was first compromised.
It's quite simple. If you can see it from outside your network, so can anyone in the world. If they can see it, they can attack it (and even sometimes if they CAN'T see it but know it's likely to be there!). If they can attack it and you don't update it, you could be in serious trouble. And even if you are firewalled off to the maximum, have up-to-date patches and proper security procedures attackers can still sometimes get through, but making their life as difficult as possible is not only fun but also productive.
Some people just don't care though. It's not going to change any time soon. Viruses and attacks are so common you hear things like "yeah, my laptop had a virus on it but I can't afford the subscription so I didn't bother clearing it up - made my computer a bit slow, though". Most people are just far too casual. You can even over-do the dramatics and explain possible dire consequences in exquisite detail. People go "Oh, really." and then carry on as they always have. Unfortunately, these people then go on to make websites for their friends, install servers for that charity down the road etc. and you end up with much worse problems.
Nobody cares anymore. Anyone serious will laugh at you if you're really that stupid to leave a server open to the world. The average joe doesn't know enough to see what you're laughing at and most people want things that work and sod the consequences. If that means running as admin with no firewall in order to save them having to learn about proper security permissions etc. then that's what happens - I know that every one of my users would make themselves admin given half the chance.
Hell, even my ISP blocks internet access to you if they see you have ports 137-139 open to the Internet and they take an awful lot of flak for it. They just redirect all your web traffic to a holding page that tells users how to fix the problem until they either a) fix it or b) tell the ISP to take it off. Guess which option is used the most?
It would appear that this guy is fishing for an article... Meaning, I strongly suspect somewhere, someone is trying to sell somebody something... For example: "(Sales person to business person) Sir, did you realize how many database servers were found to lack a firewall. Here, buy my product!!"....
It kills me the number of decisions that are made at the business level by simply watching commercials or reading articles. If I have another business person ask me if they should have "SAP", I think I am going to be sick....
I saw David at the Information Security Decision conference in Chicago last week. He presented his findings there...he seemed quite geeked about it. I thought he might cream himself on stage he was so excited.
You have to assume all of the hardening works properly - stuff that is supposed to stay local-only, stays local-only, no issues with the operating system's and driver's general network code that will let something through anyway, no applications will open up ports you weren't aware of, etc.
Now, sure, you can say "It's open source, it's got all kinds of people looking at it, of course it is secure." But face it: people make mistakes, and the more subtle the screwup, the more people it will take to find it. Eventually there will be a screwup too subtle for all the people looking to find. Then you have potential setup errors, something was missing in the documentation or overlooked by the individual doing the install/test, etc. You now have a vulnerability. Yes, none of these mistakes *should* exist, and having a firewall *shouldn't* be used as the *primary* method of protecting your system, but extra defense is good. The more software you run, the wider the variety of operating systems you run, the more likely one of these errors is to happen. A firewall is cheap (usually), and it happens to block this kind of attack.
Yes, relying on a firewall as your only means of defense is stupid, and there is a lot it doesn't protect, but a door lock doesn't defend against all means of entrance - it doesn't mean you shouldn't lock your doors. A firewall *is* a nice backup to have in case of human error in the programming or setup of an application.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
Mother should I build a firewall.
The firewall should be one of the first lines of defense. If that gets circumvented, you got all these other layers of defense in there. The firewall isn't the be all answer to security, it's a part of the complete armor.
We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
Personally, I would rather have my webserver, which is designed to be publicly available, and quite easy to secure, available - vs. WormBait such as MSSQL. I can't think of one good reason to have your DB Server port open to the inet. Need to link it to a remote server? VPN... The argument about the only secure system being completly disconnected is true, but doesnt apply here. The point is there is something that the person managing the server want to make available, so there is inherent risk... the point is to take the "best" method to do that. The article is so much FUD, but doesnt excuse having the db port open to the inet.
Let's read the article and see what that headline really means.
He found open ports on just over 200 servers, which correspond to the ports used by two popular database servers. That's all. The article doesn't say that he actually connected to them, confirmed that there were real databases running there, or even identified the owners. He found two hundred open ports out of a million randomly chosen addresses on the Internet. But "0.02% of Internet Connected Computers May Or May Not Be Running Database Software" just isn't the kind of headline that grabs attention.
Unless there is a lot more detail, preferably from someone who isn't in the business of selling firewalls for databases, then you'll have to forgive me for not being terribly concerned about this revelation.
A webserver needs at most three ports open, 80, for obvious reasons, 443 for https and 22 for ssh. That is it.
If you need to connect remotely to another service you do it via SSH.
Mysql is a database. Let it do databases. Let SSH do its job.
When I see people use your logic you make my jaw drop. SSH for live. EVERYTHING over ssh. ALWAYS. Full stop, end of story. No argument.
Exposing your database like this is insanity and you are asking for trouble. Mysql authentication is a joke and considering you are doing it this way, you probably have it setup wrong. Because what you are doing is wrong.
Tunnel over SSH. It is a most basic tool. Read up on it, NOW! Google: mysql tunnel ssh
Offcourse, next thing he will say is that he uses telnet for remote access, some admins would make ghandi loose his temper
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
However, they still have a use. Relying on a firewall only, is stupid, but not having one isn't terribly brilliant either.
Your post read as the extreme of "firewalls are useless and you shouldn't bother with them", which is just as bad as "firewalls are the [last|best]+ line of defense". Both tend to ignore various types of problem.
From most to least effective:
1) Educate your users
2) Harden your systems + have regular updates
3) Firewall
Depending on the situation, 1 and 2 may flip.
"There are approximately 368,000 Microsoft SQl Servers... and about 124,000 Oracle database servers directly accessible on the Internet" Any DBA worth his salt KNOWS how to secure a SQL server without a firewall. Its not like 'sa' was left with a blank password and remote access enabled on these, its just an open port. One of our DB servers has port 1433 open to the WAN (it was that or a site to site VPN), it is perfectly secure, even if it wasn't a complete muppet could secure a default SQL Server install. Buy get this! I've found literally millions of servers with port 80 open to the WAN! I gather it's used for an rather obscure protocol called HTTP. If I take a random sample of 1000 HTTP and SQL servers, I'll bet I'd get more webservers I could break into than SQL Servers (simply because there are many more attack vectors for HTTP, insecure scripts etc). This article draws attentions to absolutely fuck all. David Litchfield is a well respected security researcher, I don't know why he see's this as such a big issue, that is, unless he's sitting on a 0day remote SQL server exploit, but I won't hold my breath.
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
The scanning method he used is not conclusive that all of the "hits" were vulnerable db servers. Also he only scanned for MSSQL and Oracle, What of Sybase, MySQL, PostGres, DB2, and all manner of other systems? MySQL has had a remote vuln in the past - I'm sure somewhere on the inet there are vuln versions running. I cant speak of the others. The bottom line is that his "research" misses a significant portion of whats running out there. How do you not add MySQL, when LAMP is a pretty prominent application foundation. I also dont see anything conclusive in TFA to show that it was more than verifying the port was open - how does he even know its actually the database running there? He specifically states that corporate data is at risk, but he randomly chose IP ranges, would it not make more sense to randomly chose IP ranges from those known to be corporate networks? (info is available - ARIN, RIPE, APNIC, etc). Without a more rigorous study the article is most definitely FUD, as you cant definitively draw any conclusions from the results. What the article does do, is causes a good discussion about why people should be more security-aware.
Disable mysql external access by adding this line to /etc/my.cnf :
skip-networking
This will prevent external access to MySQL, firewall or no firewall. All access will go through Unix sockets or named pipes. Restart mysql with /etc/init.d/mysql restart For me, no other configuration was required for several mysql-consuming apps, including php custom scripts, phpbb, phorum, and sympoll.