Half a Million Database Servers 'Have no Firewall'

An anonymous reader writes "There are nearly half a million database servers exposed on the Internet, without firewall protection according to UK-based security researcher David Litchfield."

Re:Not Suprising

[faloi]

And don't forget the "Good news, we just made your application/database/whatever accessible to the everybody!"

I've seen a number of things cobbled together just to get a department or company through something that suddenly become available to a lot more people than the original target audience. It's a good argument for never taking short cuts when you're programming, but I'm sure there are a lot of people that have gotten something out on a deadline only to turn around and look at it later and say "What came over me to do it that way?"

Re:what?

[Anonymous Coward]

Well this is quite simple and not really all that mysterious.
If you secure your server correctly in the first place.
Close up, secure and encrypt ports that consume passwords and serve data.
You don't have a problem! Within reason of course.
I that gets breached, a firewall won't protect you from an attack either.

Du...

I wonder how many people know that firewalls don't actually do anything.
Accept keep useless network fanboys employed.

Yawn

[riffzifnab]

Just a quick list of stuff I would like to point out:

1. Because everyone knows that a firewall is the end all and be all of security.
2. How do they know they don't have a firewall and not just an open port?
3. Open port != DB server

Litchfield took a look at just over 1 million randomly generated Internet Protocol [IP] addresses, checking them to see if he could access them on the IP ports reserved for Microsoft SQL Server or Oracle's database.

4. Not all DBs are huge corporate DBs. Hell some versions of MS Office install SQL on your computer.
5. Maybe some of them actually need/want to have remote people access them (and they don't know about VPNs(lolz))
6. Yeah some people should get their shit together

Did Mr. Litchfield crash his BMW and wants a new one? This just smacks of "ZOMG!!! Ur ports are open, give me ur monies and I will fix u!" His company is even linked in the fourth paragraph. Next please.

Corporate Data?

[allcar]

From TFA:

With no firewall, databases are exposed to hackers, putting corporate data at risk.

How does he draw the conclusion that these are corporate databases? Nothing in the methodology provides this insight. I would expect that the majority of these are owned by kids and hobbiests, which would help to explain the preponderance of MS SQL servers over Oracle.
Also, the sample of 1 million is very small to be drawing these conclusions.
In short, "Nothing to see here - move along."

Re:what?

[nurd68]

Thank you. It's about time someone else realized this.

Firewalls are good for:
- Helping to limit access to services which don't have built in access limits (think tcp-wrappers++)
- Helping to protect a pile of machines over which you have little to no control (a bunch of desktops in the office, for example).

When talking about servers, if you sufficiently harden your machine, a firewall does very little, especially if the service being compromised is one which the firewall allows pretty much anyone access to...

Declaration of interest

[LordSnooty]

TFA mentions he works for Next Generation Security Software [ngssoftware.com].

"In the fast-moving world of software security it pays to have allies you can trust. Government, business and software vendors all turn to the global expertise of NGSSoftware for the protection they need. You can rely on us too... "

He has a product to sell, the report features some flaky extrapolation of data ("well, if I found this many across a million servers, on the whole internet there must be LOADS!") - why are we bothering with this?

Oracle's listener on port 1521

[IdleTime]

Just because the listener is accessible on port 1521 from the outside, doesn't mean the database itself is directly available.Depending on what identification method is set up, you may have to identify yourself to the listener first using one of many ID schemes before the listener will connect you to the database itself which may be well protected behind a firewall..

I wish he had known what he was writing about before he actually wrote the damn article.

So?

[ajs318]

# iptables -I INPUT 1 -dport 3306 -j DROP -- how hard can that be?

And the default combination of "root" and no password isn't as insecure as you think, because you still need to originate queries on the machine itself. You would have to get a web hosting account on the server (or find some idiot who wasn't chmod-ing uploaded files non-executable) in order to muck about. Or rather, giving each hosting customer their own database username and password and only GRANTing them permissions on their own databases is no more secure than having users use "root". Think about it; if you were running scripts on the server, then you could look in files in other people's home directories, where their database username and password would be clearly visible. There is no* workaround, either; the apache daemon has to have read access to every user's scripts, including the code used to undo any ad hoc obfuscation applied by users to passwords.

* Actually, you probably could have every user run an instance of httpd in their name, and listening on a non-privileged port which was firewalled off from the outside world. You'd then need one "master" server configured with a module which would do nothing but route incoming requests to specific ports based on hostname. I dread to think how slowly this would run.

Re:what?

[ByOhTek]

But that assumes that everything is programmed properly and infailable.

To be human is to err, and every Application/OS I've seen is programmed by humans. An extra layer of security doesn't hurt, especially against the bugs we don't know about yet - most bugs/security flaws weren't know about/understood prior to being fixed, and prior to fixing, they could have been exposed.

Also, consider that you might have a server with several ports open, some which by nature must be intranet only, others which must be intertnet also. In these cases a firewall helps keep things safe.

Yes, there are ideals on how things should be done, and in an ideal world, a firewall would not be necessary because (a) all the software would be programmed to be impenetrable by external network attacks, and (b) nobody would attack you anyway.

However, only the delusional live in an ideal world. And even then, only they know it...

Re:Have i missed something?

[MightyYar]

Wouldn't it be safer to connect to the database through a VPN or other encrypted connection (ssh, etc)? I still don't see why you'd want your database right out there on the public internet, no matter how much trust you have in the authentication... why have more points of entry than is necessary?

Re:Not Suprising

[Anonymous Coward]

The GP's point is valid, but he should have used a better function as an example.

Too many times I see unchecked malloc()'s, realloc()'s, etc. Those need to be checked, but I think you can get by without making sure your printf()'s are working.

And ...

[zolf13]

... how many IP addresses have their TCP port 80 opened? Maybe let's start with installing firewall on 83.138.183.169, so I don't have to waste time reading useless research.

Accountability is lacking

[sm62704]

Litchfield said that, given the amount of press generated by corporate data breaches over the past two years, it's amazing to find that there are more databases exposed than ever before.

No it isn't. Now, if there were some penalty to losing half a million identities that was borne by the database owner instead of the poor schmucks whose identities were stolen, then it would be amazing.

But when your data is stolen, I'm the one who has to pay. Why should you care? You're not paying.

Re:Not Suprising

[failedlogic]

I'm not an IT worker, but I think the idea that because some people don't know what "xyz" is, ignores a basic pretense in this circumstance. I'm not going to pretend this example explains all or some of the 1/2 non-FW DB servers.

I've worked and volunteered for several non-profit, NGOs and small businesses. And worked in B2B sales selling computer equipment to them. Generally the IT staff is an outside consultant who does a few things (whatever they're able to afford). Setting up of complex computer equipment and software is often left to someone who's able to understand the instruction manual but no IT training (so it could be the receptionist, the director or somewhere in-between). Setting up a firewall is expensive and doesn't fit into many budgets of small organizations. Someone with no IT training may also think a DB server or networked printer needs no firewall.

Let me put it this way: as a non-IT worker, I haven't put 100% of my resources behind studying I.T. (software, hardware) etc. I've programmed computers and used computers since I was born. Despite being somewhat knowledgeable in TCP/IP and reading firewall and comp. security books (mostly for self-interest), I'm not confident I can even configure an adequate firewall for my home computer. Things like FreeBSD's IPFW are supposed to be "easy" to setup. Not my experience. Its sheer confusion. MS, Apple and some OSS firewalls are supposed to make it even easier. Block this port, block that port and that's it??? don't think so. I'm not even 50% confident this solution provides adequate protection esp for a NGO, non-profit, SMB or home computer. So how is someone not as well-read supposed to setup a firewall on a limited budget? But a pre-built hardware solution? Still that needs to be setup and configured too. And even then, you still have to be knowledgeable enough to *test* whatever solution you're using to actually make sure it works and keeps your system well protected.

Not a trivial or inexpensive task. But people with no training or knowledge are often asked to do this.

Re:Not Suprising

[Ngarrang]

The world at large is uninterested and/or unaware of security when it comes to computers.

I would lean towards the 'unaware' part of your statement. I have no numbers to back up my opinion, but I am thinking that the vast majority of computer users don't have a clue about what they are using. Most know just enough to be dangerous to themselves and their PC. I see this at work where a user has been using a PC for the last 10 years, but still effectively knows nothing about it. To them, it is just a tool.

I believe that wide spread knowledge of security and privacy practices won't come into play until another generation has been born and our oldest generation dies off. A kid born in 2000 has been exposed to computers since they were born and will be more aware. We have too many Baby Boomers and Generation X'ers who have to make an effort to adapt to the new knowledge, but are just too lazy.

Re:Web Services?

[trolltalk.com]

The same argument could be made about ANY service/port, including http, ftp, etc. The premise of the article - that "port open == bad all by itself" - is junk.

And as we have repeatedly seen, accessing your db through a web server gives 2 different attack vectors - flaws in the web server, and flaws in the middleware.

Nothing except an unplugged box with the hard drive removed will ever be 100% secure.

But firewalls are part of that hardening.

[Chabil Ha']

The firewall should be one of the first lines of defense. If that gets circumvented, you got all these other layers of defense in there. The firewall isn't the be all answer to security, it's a part of the complete armor.

Good Point, but...

[keirre23hu]

Personally, I would rather have my webserver, which is designed to be publicly available, and quite easy to secure, available - vs. WormBait such as MSSQL. I can't think of one good reason to have your DB Server port open to the inet. Need to link it to a remote server? VPN... The argument about the only secure system being completly disconnected is true, but doesnt apply here. The point is there is something that the person managing the server want to make available, so there is inherent risk... the point is to take the "best" method to do that. The article is so much FUD, but doesnt excuse having the db port open to the inet.

Re:Web Services?

[markov_chain]

This attitude makes me sad. It used to be weird to want to close off access to stuff and in the process break the built-in openness of the Internet. Then the non-geeks moved in, and hungry-hungry-Hippo ensued-- now you gotta write a ten page position paper to justify opening a port. Meh.

Um... Not exactly.

[Minwee]

Let's read the article and see what that headline really means.

Litchfield took a look at just over 1 million randomly generated Internet Protocol [IP] addresses, checking them to see if he could access them on the IP ports reserved for Microsoft SQL Server or Oracle's database.

He found 157 SQL servers and 53 Oracle servers.

He found open ports on just over 200 servers, which correspond to the ports used by two popular database servers. That's all. The article doesn't say that he actually connected to them, confirmed that there were real databases running there, or even identified the owners. He found two hundred open ports out of a million randomly chosen addresses on the Internet. But "0.02% of Internet Connected Computers May Or May Not Be Running Database Software" just isn't the kind of headline that grabs attention.

Unless there is a lot more detail, preferably from someone who isn't in the business of selling firewalls for databases [ngssoftware.com], then you'll have to forgive me for not being terribly concerned about this revelation.

Re:Not Suprising

[lwriemen]

> No offense intended, but in no case should any programmer fail to see that "If you can't correct it, you needn't detect it." is rubbish.

Not necessarily rubbish if it is justifiable. In state machine construction, there are two choices to make for invalid events: ignore or can't happen. Can't happen events should be handled as exceptions, but ignore events can be ignored. There are cases where it is perfectly valid to ignore the return event of a printf.

Managers/companies who can't be flexible where logic dictates can be more trouble than they're worth as well.

Re:Not Suprising

[Ed Avis]

You can't correct it, but you should at least notify the user rather than continuing blindly. For example, if you are writing to an output file with printf() and the write fails, you shouldn't go on to tell the user that the file was saved successfully.

For 'almost impossible' conditions, dying immediately with an error message is maybe not ideal, but still a hundred times better than silently ignoring the error and reporting success.

Re:Have i missed something?

[plague3106]

I don't understand why everyone says to use VPNs when most decent database servers offer encrypted connections already.

Re:Oracle's listener on port 1521

[nstlgc]

I wish he had known what he was writing about before he actually wrote the damn article.
I wish you had looked up who he is and what he has done in the past before you make such a statement.

Perfectly reasonable behaviour.

[EddyPearson]

"There are approximately 368,000 Microsoft SQl Servers... and about 124,000 Oracle database servers directly accessible on the Internet" Any DBA worth his salt KNOWS how to secure a SQL server without a firewall. Its not like 'sa' was left with a blank password and remote access enabled on these, its just an open port. One of our DB servers has port 1433 open to the WAN (it was that or a site to site VPN), it is perfectly secure, even if it wasn't a complete muppet could secure a default SQL Server install. Buy get this! I've found literally millions of servers with port 80 open to the WAN! I gather it's used for an rather obscure protocol called HTTP. If I take a random sample of 1000 HTTP and SQL servers, I'll bet I'd get more webservers I could break into than SQL Servers (simply because there are many more attack vectors for HTTP, insecure scripts etc). This article draws attentions to absolutely fuck all. David Litchfield is a well respected security researcher, I don't know why he see's this as such a big issue, that is, unless he's sitting on a 0day remote SQL server exploit, but I won't hold my breath.

I say its FUD because

[keirre23hu]

The scanning method he used is not conclusive that all of the "hits" were vulnerable db servers. Also he only scanned for MSSQL and Oracle, What of Sybase, MySQL, PostGres, DB2, and all manner of other systems? MySQL has had a remote vuln in the past - I'm sure somewhere on the inet there are vuln versions running. I cant speak of the others. The bottom line is that his "research" misses a significant portion of whats running out there. How do you not add MySQL, when LAMP is a pretty prominent application foundation. I also dont see anything conclusive in TFA to show that it was more than verifying the port was open - how does he even know its actually the database running there? He specifically states that corporate data is at risk, but he randomly chose IP ranges, would it not make more sense to randomly chose IP ranges from those known to be corporate networks? (info is available - ARIN, RIPE, APNIC, etc). Without a more rigorous study the article is most definitely FUD, as you cant definitively draw any conclusions from the results. What the article does do, is causes a good discussion about why people should be more security-aware.

Re:Have i missed something?

[Sproggit]

............"Fundamentally, a database server that takes connections over TCP/IP ought to be secure enough to expose on the public internet"........

Nope nope nopity nope.
The issue is not with a secure (or otherwise) port being exposed to the internet, the real security issue is the question of where has business logic just been moved?
REGARDLESS of whether the database server listenes on port 35530, has super duper extra strength nine fafillion bit crypto (now with more caffiene!!! (tm) ) and only accepts connections from your permanently manned shell server in Bratislava.
YOU (as in your server) should be in charge of ALL the logic that determines whether data from a client machine is valid data.

Putting ANY tier execpt a resticted presentation tier on ANY machine outside of your direct control and audit is an invitation for someone (and experience teaches, someone that business has explicitly granted access), to fsck with the data going to the database.

Next thing you know, some guy from the mailroom is driving a Bugatti in the Bahamas, and you get called to a board meeting with nothing but your dick and your oh so nifty firewall ruleset printout in your hand.

Simple, no?

The Sproggg

Re:Not Suprising

[Anonymous Coward]

Sigh. I don't know is this is modded funny because people think you're right about an inane example, or because it's obvious.

If printf fails, your application should behave intelligently! If there's a critical error that is relevant to correct interpretation of the data being output, you should abort execution. If it is noncritical continue as you were, and seriously question why you were outputting anything anyway (maybe verbose mode?)

If I'm merging five files, and file #3 exists but is not readable, and you can't write to stderr or stdout and it's an important report--continue the task, but exit with an error code! Silent propagation of failure is one of the largest problems I've encountered in old codebases, and it just grows and grows poisoning everything and programmers have the audacity to blame the DBA or users for their lack of handling. Printf can fail, malloc can fail--exceptional cases deserve to be handled--if you don't know how to handle it, then your program is only partially corre

Re:Not Suprising

[Just Some Guy]

To answer the quote above: in C and C++ printf() [including fprintf() and sprintf()] returns an int, representing the number of characters formatted and written out - and not including any null byte appended as a string terminator.

So, it's an error when printf() doesn't output the expected number of bytes. Check.

Ummm, how do you determine exactly how many bytes it should have written so that you can compare the values? I can't really think of any way you could correctly do that in a locale-sensitive manner without re-implementing printf() in the first place, at which point the whole think is moot and you're fired for dicking around too much on the job.