Half a Million Database Servers 'Have no Firewall' 322
An anonymous reader writes "There are nearly half a million database servers exposed on the Internet, without firewall protection according to UK-based security researcher David Litchfield."
Re:Not Suprising (Score:5, Insightful)
I've seen a number of things cobbled together just to get a department or company through something that suddenly become available to a lot more people than the original target audience. It's a good argument for never taking short cuts when you're programming, but I'm sure there are a lot of people that have gotten something out on a deadline only to turn around and look at it later and say "What came over me to do it that way?"
Re:what? (Score:5, Insightful)
If you secure your server correctly in the first place.
Close up, secure and encrypt ports that consume passwords and serve data.
You don't have a problem! Within reason of course.
I that gets breached, a firewall won't protect you from an attack either.
Du...
I wonder how many people know that firewalls don't actually do anything.
Accept keep useless network fanboys employed.
Yawn (Score:5, Insightful)
1. Because everyone knows that a firewall is the end all and be all of security.
2. How do they know they don't have a firewall and not just an open port?
3. Open port != DB server
5. Maybe some of them actually need/want to have remote people access them (and they don't know about VPNs(lolz))
6. Yeah some people should get their shit together
Did Mr. Litchfield crash his BMW and wants a new one? This just smacks of "ZOMG!!! Ur ports are open, give me ur monies and I will fix u!" His company is even linked in the fourth paragraph. Next please.
Corporate Data? (Score:4, Insightful)
Also, the sample of 1 million is very small to be drawing these conclusions.
In short, "Nothing to see here - move along."
Re:what? (Score:5, Insightful)
Firewalls are good for:
- Helping to limit access to services which don't have built in access limits (think tcp-wrappers++)
- Helping to protect a pile of machines over which you have little to no control (a bunch of desktops in the office, for example).
When talking about servers, if you sufficiently harden your machine, a firewall does very little, especially if the service being compromised is one which the firewall allows pretty much anyone access to...
Declaration of interest (Score:5, Insightful)
Oracle's listener on port 1521 (Score:5, Insightful)
I wish he had known what he was writing about before he actually wrote the damn article.
So? (Score:2, Insightful)
And the default combination of "root" and no password isn't as insecure as you think, because you still need to originate queries on the machine itself. You would have to get a web hosting account on the server (or find some idiot who wasn't chmod-ing uploaded files non-executable) in order to muck about. Or rather, giving each hosting customer their own database username and password and only GRANTing them permissions on their own databases is no more secure than having users use "root". Think about it; if you were running scripts on the server, then you could look in files in other people's home directories, where their database username and password would be clearly visible. There is no* workaround, either; the apache daemon has to have read access to every user's scripts, including the code used to undo any ad hoc obfuscation applied by users to passwords.
* Actually, you probably could have every user run an instance of httpd in their name, and listening on a non-privileged port which was firewalled off from the outside world. You'd then need one "master" server configured with a module which would do nothing but route incoming requests to specific ports based on hostname. I dread to think how slowly this would run.
Re:what? (Score:3, Insightful)
To be human is to err, and every Application/OS I've seen is programmed by humans. An extra layer of security doesn't hurt, especially against the bugs we don't know about yet - most bugs/security flaws weren't know about/understood prior to being fixed, and prior to fixing, they could have been exposed.
Also, consider that you might have a server with several ports open, some which by nature must be intranet only, others which must be intertnet also. In these cases a firewall helps keep things safe.
Yes, there are ideals on how things should be done, and in an ideal world, a firewall would not be necessary because (a) all the software would be programmed to be impenetrable by external network attacks, and (b) nobody would attack you anyway.
However, only the delusional live in an ideal world. And even then, only they know it...
Re:Have i missed something? (Score:3, Insightful)
Re:Not Suprising (Score:1, Insightful)
Too many times I see unchecked malloc()'s, realloc()'s, etc. Those need to be checked, but I think you can get by without making sure your printf()'s are working.
And ... (Score:2, Insightful)
Accountability is lacking (Score:3, Insightful)
No it isn't. Now, if there were some penalty to losing half a million identities that was borne by the database owner instead of the poor schmucks whose identities were stolen, then it would be amazing.
But when your data is stolen, I'm the one who has to pay. Why should you care? You're not paying.
Re:Not Suprising (Score:5, Insightful)
I've worked and volunteered for several non-profit, NGOs and small businesses. And worked in B2B sales selling computer equipment to them. Generally the IT staff is an outside consultant who does a few things (whatever they're able to afford). Setting up of complex computer equipment and software is often left to someone who's able to understand the instruction manual but no IT training (so it could be the receptionist, the director or somewhere in-between). Setting up a firewall is expensive and doesn't fit into many budgets of small organizations. Someone with no IT training may also think a DB server or networked printer needs no firewall.
Let me put it this way: as a non-IT worker, I haven't put 100% of my resources behind studying I.T. (software, hardware) etc. I've programmed computers and used computers since I was born. Despite being somewhat knowledgeable in TCP/IP and reading firewall and comp. security books (mostly for self-interest), I'm not confident I can even configure an adequate firewall for my home computer. Things like FreeBSD's IPFW are supposed to be "easy" to setup. Not my experience. Its sheer confusion. MS, Apple and some OSS firewalls are supposed to make it even easier. Block this port, block that port and that's it??? don't think so. I'm not even 50% confident this solution provides adequate protection esp for a NGO, non-profit, SMB or home computer. So how is someone not as well-read supposed to setup a firewall on a limited budget? But a pre-built hardware solution? Still that needs to be setup and configured too. And even then, you still have to be knowledgeable enough to *test* whatever solution you're using to actually make sure it works and keeps your system well protected.
Not a trivial or inexpensive task. But people with no training or knowledge are often asked to do this.
Re:Not Suprising (Score:3, Insightful)
I would lean towards the 'unaware' part of your statement. I have no numbers to back up my opinion, but I am thinking that the vast majority of computer users don't have a clue about what they are using. Most know just enough to be dangerous to themselves and their PC. I see this at work where a user has been using a PC for the last 10 years, but still effectively knows nothing about it. To them, it is just a tool.
I believe that wide spread knowledge of security and privacy practices won't come into play until another generation has been born and our oldest generation dies off. A kid born in 2000 has been exposed to computers since they were born and will be more aware. We have too many Baby Boomers and Generation X'ers who have to make an effort to adapt to the new knowledge, but are just too lazy.
Re:Web Services? (Score:5, Insightful)
The same argument could be made about ANY service/port, including http, ftp, etc. The premise of the article - that "port open == bad all by itself" - is junk.
And as we have repeatedly seen, accessing your db through a web server gives 2 different attack vectors - flaws in the web server, and flaws in the middleware.
Nothing except an unplugged box with the hard drive removed will ever be 100% secure.
But firewalls are part of that hardening. (Score:3, Insightful)
Good Point, but... (Score:5, Insightful)
Re:Web Services? (Score:3, Insightful)
Um... Not exactly. (Score:5, Insightful)
Let's read the article and see what that headline really means.
He found open ports on just over 200 servers, which correspond to the ports used by two popular database servers. That's all. The article doesn't say that he actually connected to them, confirmed that there were real databases running there, or even identified the owners. He found two hundred open ports out of a million randomly chosen addresses on the Internet. But "0.02% of Internet Connected Computers May Or May Not Be Running Database Software" just isn't the kind of headline that grabs attention.
Unless there is a lot more detail, preferably from someone who isn't in the business of selling firewalls for databases [ngssoftware.com], then you'll have to forgive me for not being terribly concerned about this revelation.
Re:Not Suprising (Score:2, Insightful)
Not necessarily rubbish if it is justifiable. In state machine construction, there are two choices to make for invalid events: ignore or can't happen. Can't happen events should be handled as exceptions, but ignore events can be ignored. There are cases where it is perfectly valid to ignore the return event of a printf.
Managers/companies who can't be flexible where logic dictates can be more trouble than they're worth as well.
Re:Not Suprising (Score:3, Insightful)
For 'almost impossible' conditions, dying immediately with an error message is maybe not ideal, but still a hundred times better than silently ignoring the error and reporting success.
Re:Have i missed something? (Score:3, Insightful)
Re:Oracle's listener on port 1521 (Score:2, Insightful)
I wish you had looked up who he is and what he has done in the past before you make such a statement.
Perfectly reasonable behaviour. (Score:2, Insightful)
I say its FUD because (Score:5, Insightful)
Re:Have i missed something? (Score:3, Insightful)
Nope nope nopity nope.
The issue is not with a secure (or otherwise) port being exposed to the internet, the real security issue is the question of where has business logic just been moved?
REGARDLESS of whether the database server listenes on port 35530, has super duper extra strength nine fafillion bit crypto (now with more caffiene!!! (tm) ) and only accepts connections from your permanently manned shell server in Bratislava.
YOU (as in your server) should be in charge of ALL the logic that determines whether data from a client machine is valid data.
Putting ANY tier execpt a resticted presentation tier on ANY machine outside of your direct control and audit is an invitation for someone (and experience teaches, someone that business has explicitly granted access), to fsck with the data going to the database.
Next thing you know, some guy from the mailroom is driving a Bugatti in the Bahamas, and you get called to a board meeting with nothing but your dick and your oh so nifty firewall ruleset printout in your hand.
Simple, no?
The Sproggg
Re:Not Suprising (Score:1, Insightful)
If printf fails, your application should behave intelligently! If there's a critical error that is relevant to correct interpretation of the data being output, you should abort execution. If it is noncritical continue as you were, and seriously question why you were outputting anything anyway (maybe verbose mode?)
If I'm merging five files, and file #3 exists but is not readable, and you can't write to stderr or stdout and it's an important report--continue the task, but exit with an error code! Silent propagation of failure is one of the largest problems I've encountered in old codebases, and it just grows and grows poisoning everything and programmers have the audacity to blame the DBA or users for their lack of handling. Printf can fail, malloc can fail--exceptional cases deserve to be handled--if you don't know how to handle it, then your program is only partially corre
Re:Not Suprising (Score:3, Insightful)
So, it's an error when printf() doesn't output the expected number of bytes. Check.
Ummm, how do you determine exactly how many bytes it should have written so that you can compare the values? I can't really think of any way you could correctly do that in a locale-sensitive manner without re-implementing printf() in the first place, at which point the whole think is moot and you're fired for dicking around too much on the job.