Half a Million Database Servers 'Have no Firewall'

An anonymous reader writes "There are nearly half a million database servers exposed on the Internet, without firewall protection according to UK-based security researcher David Litchfield."

Not Suprising

[Algorithmnast (1105517)]

This isn't so suprising:

• Most C programmers don't bother to check the return of system calls like printf()
• Most C++ programmers have no idea what an invariant [artima.com] is.
• There are a lot more people who can "just put together a database for us" than can tell a company why they do or don't need one
• Most users of computers have little to no security on their machines.

The world at large is uninterested and/or unaware of security when it comes to computers.

Re:Not Suprising

[faloi (738831)]

And don't forget the "Good news, we just made your application/database/whatever accessible to the everybody!"

I've seen a number of things cobbled together just to get a department or company through something that suddenly become available to a lot more people than the original target audience. It's a good argument for never taking short cuts when you're programming, but I'm sure there are a lot of people that have gotten something out on a deadline only to turn around and look at it later and say "What came over me to do it that way?"

Re:Not Suprising

[ajs318 (655362)]

Most C programmers don't bother to check the return of system calls like printf()

And what exactly are you supposed to do when printf() returns false? Display an error message?

If you can't correct it, you needn't detect it.

Re:Not Suprising

[pherthyl (445706)]

Well, to answer another poster - yes I was being insufficiently precise when I used the term system call. printf() is a C library call.

Insufficiently precise? Holy weasel words batman. You were wrong.

Re:Not Suprising

[failedlogic (627314)]

I'm not an IT worker, but I think the idea that because some people don't know what "xyz" is, ignores a basic pretense in this circumstance. I'm not going to pretend this example explains all or some of the 1/2 non-FW DB servers.

I've worked and volunteered for several non-profit, NGOs and small businesses. And worked in B2B sales selling computer equipment to them. Generally the IT staff is an outside consultant who does a few things (whatever they're able to afford). Setting up of complex computer equipment and software is often left to someone who's able to understand the instruction manual but no IT training (so it could be the receptionist, the director or somewhere in-between). Setting up a firewall is expensive and doesn't fit into many budgets of small organizations. Someone with no IT training may also think a DB server or networked printer needs no firewall.

Let me put it this way: as a non-IT worker, I haven't put 100% of my resources behind studying I.T. (software, hardware) etc. I've programmed computers and used computers since I was born. Despite being somewhat knowledgeable in TCP/IP and reading firewall and comp. security books (mostly for self-interest), I'm not confident I can even configure an adequate firewall for my home computer. Things like FreeBSD's IPFW are supposed to be "easy" to setup. Not my experience. Its sheer confusion. MS, Apple and some OSS firewalls are supposed to make it even easier. Block this port, block that port and that's it??? don't think so. I'm not even 50% confident this solution provides adequate protection esp for a NGO, non-profit, SMB or home computer. So how is someone not as well-read supposed to setup a firewall on a limited budget? But a pre-built hardware solution? Still that needs to be setup and configured too. And even then, you still have to be knowledgeable enough to *test* whatever solution you're using to actually make sure it works and keeps your system well protected.

Not a trivial or inexpensive task. But people with no training or knowledge are often asked to do this.

Only SQL server and Oracle?

[daveewart (66895)]

Given the approach he took, he could have checked for PostgreSQL and MySQL as well, which are presumably much more widespread (?) than the ones he was looking for...

Yawn

[riffzifnab (449869)]

Just a quick list of stuff I would like to point out:

1. Because everyone knows that a firewall is the end all and be all of security.
2. How do they know they don't have a firewall and not just an open port?
3. Open port != DB server

Litchfield took a look at just over 1 million randomly generated Internet Protocol [IP] addresses, checking them to see if he could access them on the IP ports reserved for Microsoft SQL Server or Oracle's database.

4. Not all DBs are huge corporate DBs. Hell some versions of MS Office install SQL on your computer.
5. Maybe some of them actually need/want to have remote people access them (and they don't know about VPNs(lolz))
6. Yeah some people should get their shit together

Did Mr. Litchfield crash his BMW and wants a new one? This just smacks of "ZOMG!!! Ur ports are open, give me ur monies and I will fix u!" His company is even linked in the fourth paragraph. Next please.

Declaration of interest

[LordSnooty (853791)]

TFA mentions he works for Next Generation Security Software [ngssoftware.com].

"In the fast-moving world of software security it pays to have allies you can trust. Government, business and software vendors all turn to the global expertise of NGSSoftware for the protection they need. You can rely on us too... "

He has a product to sell, the report features some flaky extrapolation of data ("well, if I found this many across a million servers, on the whole internet there must be LOADS!") - why are we bothering with this?

Oracle's listener on port 1521

[IdleTime (561841)]

Just because the listener is accessible on port 1521 from the outside, doesn't mean the database itself is directly available.Depending on what identification method is set up, you may have to identify yourself to the listener first using one of many ID schemes before the listener will connect you to the database itself which may be well protected behind a firewall..

I wish he had known what he was writing about before he actually wrote the damn article.

Well...

[ngunton (460215)]

I have a LAMP server in colo which is running a fair sized community site, and I use MySQL replication for instant backup of data updates to my home workstation. I can't afford to run redundant servers at the moment, so this is a nice "poor man's backup" (not hot spare, just a relative guarantee that if the server or colo center blew up suddenly then I'd at least have a copy of the data on my home box, losing at most a millisecond or so of updates).

Since my home is on cable, there isn't any static IP address to put in the server's iptables rules, and so I need to leave the mysql port on the server open. For security I use MySQL grant tables to specify that from outside only the restricted 'replication' user can have password access. Even if someone managed to guess the password for that user, the grants say that all they can do is replicate (and then they'd have issues because they wouldn't have any initial copy of the database). Since I don't store passwords in the db at all, it's fairly secure. Sure, it's not bulletproof, but as long as you're aware of the issues and take reasonable steps, it's very possible to have a database server intentionally open to the internet.

Even better, run the replication over ssl, then nobody can sniff anything from the stream. I haven't done that yet (until recently I was running an older version that didn't support ssl) but it is on my to-do list.

Another small thing you can do is to change the port that MySQL is listening on, but haven't bothered to go that far yet - the existing security seems to have been pretty solid.

Might I introduce you to SSH

[SmallFurryCreature (593017)]

A webserver needs at most three ports open, 80, for obvious reasons, 443 for https and 22 for ssh. That is it.

If you need to connect remotely to another service you do it via SSH.

Mysql is a database. Let it do databases. Let SSH do its job.

When I see people use your logic you make my jaw drop. SSH for live. EVERYTHING over ssh. ALWAYS. Full stop, end of story. No argument.

Exposing your database like this is insanity and you are asking for trouble. Mysql authentication is a joke and considering you are doing it this way, you probably have it setup wrong. Because what you are doing is wrong.

Tunnel over SSH. It is a most basic tool. Read up on it, NOW! Google: mysql tunnel ssh

Offcourse, next thing he will say is that he uses telnet for remote access, some admins would make ghandi loose his temper

Um... Not exactly.

[Minwee (522556)]

Let's read the article and see what that headline really means.

Litchfield took a look at just over 1 million randomly generated Internet Protocol [IP] addresses, checking them to see if he could access them on the IP ports reserved for Microsoft SQL Server or Oracle's database.

He found 157 SQL servers and 53 Oracle servers.

He found open ports on just over 200 servers, which correspond to the ports used by two popular database servers. That's all. The article doesn't say that he actually connected to them, confirmed that there were real databases running there, or even identified the owners. He found two hundred open ports out of a million randomly chosen addresses on the Internet. But "0.02% of Internet Connected Computers May Or May Not Be Running Database Software" just isn't the kind of headline that grabs attention.

Unless there is a lot more detail, preferably from someone who isn't in the business of selling firewalls for databases [ngssoftware.com], then you'll have to forgive me for not being terribly concerned about this revelation.

Re:what?

[by Anonymous Coward]

Well this is quite simple and not really all that mysterious.
If you secure your server correctly in the first place.
Close up, secure and encrypt ports that consume passwords and serve data.
You don't have a problem! Within reason of course.
I that gets breached, a firewall won't protect you from an attack either.

Du...

I wonder how many people know that firewalls don't actually do anything.
Accept keep useless network fanboys employed.

Re:what?

[nurd68 (235535)]

Thank you. It's about time someone else realized this.

Firewalls are good for:
- Helping to limit access to services which don't have built in access limits (think tcp-wrappers++)
- Helping to protect a pile of machines over which you have little to no control (a bunch of desktops in the office, for example).

When talking about servers, if you sufficiently harden your machine, a firewall does very little, especially if the service being compromised is one which the firewall allows pretty much anyone access to...

Re:what?

[ByOhTek (1181381)]

You have to assume all of the hardening works properly - stuff that is supposed to stay local-only, stays local-only, no issues with the operating system's and driver's general network code that will let something through anyway, no applications will open up ports you weren't aware of, etc.

Now, sure, you can say "It's open source, it's got all kinds of people looking at it, of course it is secure." But face it: people make mistakes, and the more subtle the screwup, the more people it will take to find it. Eventually there will be a screwup too subtle for all the people looking to find. Then you have potential setup errors, something was missing in the documentation or overlooked by the individual doing the install/test, etc. You now have a vulnerability. Yes, none of these mistakes *should* exist, and having a firewall *shouldn't* be used as the *primary* method of protecting your system, but extra defense is good. The more software you run, the wider the variety of operating systems you run, the more likely one of these errors is to happen. A firewall is cheap (usually), and it happens to block this kind of attack.

Yes, relying on a firewall as your only means of defense is stupid, and there is a lot it doesn't protect, but a door lock doesn't defend against all means of entrance - it doesn't mean you shouldn't lock your doors. A firewall *is* a nice backup to have in case of human error in the programming or setup of an application.

Chicago

[deviantphil (543645)]

I saw David at the Information Security Decision conference in Chicago last week. He presented his findings there...he seemed quite geeked about it. I thought he might cream himself on stage he was so excited.

Re:You missed something too

[Poltras (680608)]

You all got it wrong. If you expose your data directly over the internet, you don't NEED an app server. Elementary.

Re:You missed something too

[ByOhTek (1181381)]

your sig...

You are not a lawyer, you are a hairball?

(sorry, couldn't resist)

Re:Have i missed something?

[trolltalk.com (1108067)]

That's not true.

For example, you may have a stand-alone java app at multiple locations that can query the database directly, so you'd definitely open up the port.

This is just another example of "OMFG LOOK AT ME!!! I FOUND TEH SECURITY HOLE!" bullshit. Same as "your computer is broadcasting its IP address."

Not everything has to go through a bloody web server.

Their "idea" of a vulnerability was if the port was open - not if they could gain access.

Web Services?

[keirre23hu (638913)]

I don't want to sound like a shill, but isnt this the rationale behind SOAP and such? Why leave a DB port open on the Internet. I agree that TFA may be blowing things out of proportion, but still, seems like an unnecessary risk.. at a minumum ip-filter the port.. do something other than let Joe Script-Kiddie find the port and (depending on the db software) crack your system.

Re:Web Services?

[trolltalk.com (1108067)]

The same argument could be made about ANY service/port, including http, ftp, etc. The premise of the article - that "port open == bad all by itself" - is junk.

And as we have repeatedly seen, accessing your db through a web server gives 2 different attack vectors - flaws in the web server, and flaws in the middleware.

Nothing except an unplugged box with the hard drive removed will ever be 100% secure.

Good Point, but...

[keirre23hu (638913)]

Personally, I would rather have my webserver, which is designed to be publicly available, and quite easy to secure, available - vs. WormBait such as MSSQL. I can't think of one good reason to have your DB Server port open to the inet. Need to link it to a remote server? VPN... The argument about the only secure system being completly disconnected is true, but doesnt apply here. The point is there is something that the person managing the server want to make available, so there is inherent risk... the point is to take the "best" method to do that. The article is so much FUD, but doesnt excuse having the db port open to the inet.

I say its FUD because

[keirre23hu (638913)]

The scanning method he used is not conclusive that all of the "hits" were vulnerable db servers. Also he only scanned for MSSQL and Oracle, What of Sybase, MySQL, PostGres, DB2, and all manner of other systems? MySQL has had a remote vuln in the past - I'm sure somewhere on the inet there are vuln versions running. I cant speak of the others. The bottom line is that his "research" misses a significant portion of whats running out there. How do you not add MySQL, when LAMP is a pretty prominent application foundation. I also dont see anything conclusive in TFA to show that it was more than verifying the port was open - how does he even know its actually the database running there? He specifically states that corporate data is at risk, but he randomly chose IP ranges, would it not make more sense to randomly chose IP ranges from those known to be corporate networks? (info is available - ARIN, RIPE, APNIC, etc). Without a more rigorous study the article is most definitely FUD, as you cant definitively draw any conclusions from the results. What the article does do, is causes a good discussion about why people should be more security-aware.

Re:Have i missed something?

[COMON$ (806135)]

Well even if you are not handling requests through a web server, which there are some cases where this is the best option. You should do some IP restriction. In the cases where I have set up a SQL server with a port open, I restrict access to that port by only allowing MY ips to hit it. Even then just the IPs that need access, don't go overboard and allow every IP you have get to it.

I have mentioned this several times on slashdot but there is a severe lack of actual professionals in control of networks out there. I would say that there are all too many who have never even thought about security at this level, they just make sure that they have control of their users and pat themselves on their back for being able to make two servers talk across a WAN.

This all derives from the misconception that you have to be 40+ to be a seasoned professional in the business world. The IT security field is a very new one relatively, some of the best security personnel are much younger than I am but never get considered because even with 5 years experience, a degree and several certifications, they are only 24 and therefore not worthy of note. (no I am not ranting about myself, I ahve a wonderful position for someone my age, but I know many IT geeks who get passed over because of their age, although no one would ever admit it.) Get the 40 year old guy who was a sociology major and did data entry for 10 years before being asked to take over NT environments. This way you get a 'seasoned' guy because he has a few more wrinkles and that makes him a better 'fit' and definitely must make him more capable.

Re:Have i missed something?

[Nazlfrag (1035012)]

Simple solution to the age problem - grow a beard. A bearded IT professional commands fear and respect from his less hirsute colleagues, with his utter contempt for the mores of civilised society bristling boldly from his chin. Caution - only recommended for male IT workers.