Insecurity by default (was: MySQL Help)

Christopher Browne cbbrowne-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Thu Jun 29 02:28:15 UTC 2006


On 6/28/06, Stephen <stephen-d-bJEeYj9oJeDQT0dZR+AlfA at public.gmane.org> wrote:
> Jason Spiro wrote:
> >> > The MySQL docs say networking is on by default.
> >>
> >> e.g. - insecure by default.
> >
> > I hate "insecure by default" products. It's led to so many PHP
> > injection attacks internet wide you wouldn't believe it, including PHP
> > bulletin board software worms that attack server machines.
> >
> > How can "insecurity by default" be discouraged, though? Boycott such
> > products???
>
> Hmmm... how often is a database server never accessed across a network?
>
> I agree with the sentiment, but this is not a very good example of a
> violation.

_The Database Hacker's Handbook : Defending Database Servers_ points
at this very issue as being a visible failing of most of the 7
databases that it analyzes in depth.

Yes, databases are commonly accessed across a network; configuring it
to be thus accessible by default, is, however, a clear mistake.  It
means that if the database is installed, by default, then there's a
hole.  If you weren't aware that the database was installed, that's a
hole you are unaware of.

At one time, Red Hat's distributions opened up a whole lot of services
to the network by default.  "Script kiddies" had a heyday with this;
they had services to attack that users weren't even aware they had
running and needed to secure.

> I just don't see that many database administrators going into the server
> room to do their work.

Nonsense.  I'm not talking about some requirement of going to the
console to access the database.  Defaulting to "local only" is a
decent start; that requires that you have SSH access; that gets you to
a shell on the DB server, and from there, you can use local access.

If you only have one server in your environment, THAT'S FINE.  Local
access is all that's needed; restricting access to the DB to local
users means that an attacker has to get in via ssh or telnet or such,
and has already gotten local access.
-- 
http://www3.sympatico.ca/cbbrowne/linux.html
Oddly enough, this is completely standard behaviour for shells. This
is a roundabout way of saying `don't use combined chains of `&&'s and
`||'s unless you think Gödel's theorem is for sissies'.
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list