I heard that the web was slow today.

Craig White plug-discuss@lists.plug.phoenix.az.us
27 Jan 2003 23:45:25 -0700 

On Mon, 2003-01-27 at 22:35, der.hans wrote:
> Am 28. Jan, 2003 schw=C3=A4tzte George Toft so:
>=20
> > When you drive that car in the sand, and it gets stuck, maybe it's not
> > Ford's fault?  Why, oh why, does anyone put a database server with any
> > interface exposed to the Internet?  WTF are these people thinking?  The
> > spread of the worm is not Microsoft's fault (directly) - it is the faul=
t
>=20
> It is directly m$'s fault. m$ quietly installs m$sql for several software
> packages. It's part of their m$de that's reportedly installed for certain
> releases of packages like visio, m$ project, and m$ office. So not only d=
oes
> it default to a bad setup, but people don't even know it's installed. The=
y
> should know, but that's discouraged in the m$ce world...
>=20
> > of whoever put together the architecture that puts a database on the
> > Internet without a couple firewalls and an App server in front of it.
> > That is probably caused by the Cracker Jacks Box MCSE's that are
> > clueless about security, which *is* Microsoft's fault as their
> > curriculum doesn't (or didn't anyway) discuss basic security.
>=20
> That and they have traditionally made it difficult to find out what's
> running on the box.
>=20
> > I have a database server and an LDAP server.  There are two firewalls
> > between the Internet and the databases.  And this is my home network!
> >
> >
> > And that Finnish car?  Hmmm... let's see, I discovered and reported two
> > security exposures/vulnerabilities two weekends ago in SSH and MySQL.
> > One allows you to remotely discover the root password on a system
> > configured to block root logins, and the other allows you to recall
> > administrator commands (which may contain passwords) as a regular user.
> > I also discovered you can ftp into an account using Midnight Commander
> > without presenting the credentials if you logged in once before.  Some
> > may call it a convenience - I call it a gaping hole.  This is corrected
> > in the current release.
>=20
> I won't claim Free Software is free of bugs or security holes. The
> databases ( PostgreSQL and MySQL at least ), however, no longer listen fo=
r
> network connections by default.
>=20
> Also, for the last SSH update, did it require me to get the MySQL patch a=
s
> well?  Did it require me to allow the SSH developers to break into my box
> anytime they feel like it?
>=20
> As for all the worms against m$, build it ( shoddy security infrastructur=
e )
> and they ( script kiddies and worms ) will come.
>=20
> > As I see it, each manufacturer has their own set of problems - it's up
> > to us as intelligent architects to not do stupid things with our cars.
>=20
> I agree it's up to us to know what we're doing with our boxen. That's
> generally encouraged in the *NIX world, but not for the m$ or mac.
>=20
-----
If the packager for MySQL or PostgreSQL (like redhat) has it by default
listening to the network ports, then it's listening, you my very well be
right about downloading & compiling from the source at the project
locations not listening on network ports. Redhat has spent a fair amount
of time and thought toward keeping all this stuff off / local when it's
installed, causing you to learn how to turn it on.=20

The complaint about Microsoft is that they really don't offer much in
terms of packet filtering and nothing in terms of a tool to use the
built-in packet filtering so to hang it out on the internet, you should
probably purchase a professional firewall package, which many businesses
are unwilling to do. They're like honey pots, much like the first redhat
servers I put out, not realizing how vulnerable some of the open ports
were. I found out in a hurry that you have block the ports used by BIND
or you will get smoked. I'm not convinced that you can stay up to date
enough with that service exposed to the internet.

Reminds me of a situation that I recently had with a group of attorneys
that I had for a client. They had a trial in Las Vegas and so I went up
there and set up a network for their temporary office...using linux to
create a vpn from their Scottsdale office to the Vegas war room. After I
left, they wanted to do something different because I wouldn't put
netbios on the internet for them to access from their apartments and
only allowed them access via ftp, restricting vial firewall &
/etc/hosts.allow/deny.

They then turned to a Windows guy in Las Vegas who hung a Win2K server
out on the internet. I tested it and found 52 ports open / compared to 2
ports on the linux box...nmap -O scan time about 40 seconds for the
Win2K box and over 9 minutes for the linux box. I gagged and told them
that they should just copy their hard drive and give it to their trial
opponents rather than waste all the bandwidth allowing their opponents
to grab it through the loose Windows computer naked on the internet. The
guy 'tightened' it up and got it all the way down to 27 open ports.
Thankfully, trial is over now.

It isn't Microsoft's fault, they are leaving firewall / packet filter
security to a 3rd party solution, I'm sure quite intentionally and it's
bad for their reputation. Let's not forget, if linux gets too popular,
there will be more effort made at exploitation.

Craig