Half a Million Database Servers 'Have no Firewall' 322
An anonymous reader writes "There are nearly half a million database servers exposed on the Internet, without firewall protection according to UK-based security researcher David Litchfield."
Have i missed something? (Score:3, Informative)
Not Suprising (Score:5, Informative)
This isn't so suprising:
The world at large is uninterested and/or unaware of security when it comes to computers.
Re:Have i missed something? (Score:3, Informative)
The more logical (and secure) solution would be
{internet}
|
app-servers
| (internal network)
db-servers
You missed something too (Score:2, Informative)
the proper setup looks like this
{internet}
|
firewall
|
app-servers
|
db-servers
Re:Have i missed something? (Score:5, Informative)
That's not true.
For example, you may have a stand-alone java app at multiple locations that can query the database directly, so you'd definitely open up the port.
This is just another example of "OMFG LOOK AT ME!!! I FOUND TEH SECURITY HOLE!" bullshit. Same as "your computer is broadcasting its IP address."
Not everything has to go through a bloody web server.
Their "idea" of a vulnerability was if the port was open - not if they could gain access.
Web Services? (Score:5, Informative)
Re:Have i missed something? (Score:5, Informative)
I have mentioned this several times on slashdot but there is a severe lack of actual professionals in control of networks out there. I would say that there are all too many who have never even thought about security at this level, they just make sure that they have control of their users and pat themselves on their back for being able to make two servers talk across a WAN.
This all derives from the misconception that you have to be 40+ to be a seasoned professional in the business world. The IT security field is a very new one relatively, some of the best security personnel are much younger than I am but never get considered because even with 5 years experience, a degree and several certifications, they are only 24 and therefore not worthy of note. (no I am not ranting about myself, I ahve a wonderful position for someone my age, but I know many IT geeks who get passed over because of their age, although no one would ever admit it.) Get the 40 year old guy who was a sociology major and did data entry for 10 years before being asked to take over NT environments. This way you get a 'seasoned' guy because he has a few more wrinkles and that makes him a better 'fit' and definitely must make him more capable.
Re:Oracle's listener on port 1521 (Score:2, Informative)
Re:Well... (Score:3, Informative)
Might I introduce you to SSH (Score:5, Informative)
A webserver needs at most three ports open, 80, for obvious reasons, 443 for https and 22 for ssh. That is it.
If you need to connect remotely to another service you do it via SSH.
Mysql is a database. Let it do databases. Let SSH do its job.
When I see people use your logic you make my jaw drop. SSH for live. EVERYTHING over ssh. ALWAYS. Full stop, end of story. No argument.
Exposing your database like this is insanity and you are asking for trouble. Mysql authentication is a joke and considering you are doing it this way, you probably have it setup wrong. Because what you are doing is wrong.
Tunnel over SSH. It is a most basic tool. Read up on it, NOW! Google: mysql tunnel ssh
Offcourse, next thing he will say is that he uses telnet for remote access, some admins would make ghandi loose his temper
Re:Have i missed something? (Score:2, Informative)
Re:Web Services? (Score:3, Informative)
The "researchers" who claimed that an open port is, in and of itself, a security risk, need to realize that an open port is just that - an open port. It means nothing if you don't know how the machine is configured.
Re:Not Suprising (Score:2, Informative)
If you read the documentation for those functions (man 3 printf), you'll see that an error is signalled by returning a negative value. The length is not to be used for error-analysis unless it's negative. It's more for something like this: