On Mon, 2003-01-27 at 22:35, der.hans wrote: > Am 28. Jan, 2003 schw=C3=A4tzte George Toft so: >=20 > > When you drive that car in the sand, and it gets stuck, maybe it's not > > Ford's fault? Why, oh why, does anyone put a database server with any > > interface exposed to the Internet? WTF are these people thinking? The > > spread of the worm is not Microsoft's fault (directly) - it is the faul= t >=20 > It is directly m$'s fault. m$ quietly installs m$sql for several software > packages. It's part of their m$de that's reportedly installed for certain > releases of packages like visio, m$ project, and m$ office. So not only d= oes > it default to a bad setup, but people don't even know it's installed. The= y > should know, but that's discouraged in the m$ce world... >=20 > > of whoever put together the architecture that puts a database on the > > Internet without a couple firewalls and an App server in front of it. > > That is probably caused by the Cracker Jacks Box MCSE's that are > > clueless about security, which *is* Microsoft's fault as their > > curriculum doesn't (or didn't anyway) discuss basic security. >=20 > That and they have traditionally made it difficult to find out what's > running on the box. >=20 > > I have a database server and an LDAP server. There are two firewalls > > between the Internet and the databases. And this is my home network! > > > > > > And that Finnish car? Hmmm... let's see, I discovered and reported two > > security exposures/vulnerabilities two weekends ago in SSH and MySQL. > > One allows you to remotely discover the root password on a system > > configured to block root logins, and the other allows you to recall > > administrator commands (which may contain passwords) as a regular user. > > I also discovered you can ftp into an account using Midnight Commander > > without presenting the credentials if you logged in once before. Some > > may call it a convenience - I call it a gaping hole. This is corrected > > in the current release. >=20 > I won't claim Free Software is free of bugs or security holes. The > databases ( PostgreSQL and MySQL at least ), however, no longer listen fo= r > network connections by default. >=20 > Also, for the last SSH update, did it require me to get the MySQL patch a= s > well? Did it require me to allow the SSH developers to break into my box > anytime they feel like it? >=20 > As for all the worms against m$, build it ( shoddy security infrastructur= e ) > and they ( script kiddies and worms ) will come. >=20 > > As I see it, each manufacturer has their own set of problems - it's up > > to us as intelligent architects to not do stupid things with our cars. >=20 > I agree it's up to us to know what we're doing with our boxen. That's > generally encouraged in the *NIX world, but not for the m$ or mac. >=20 ----- If the packager for MySQL or PostgreSQL (like redhat) has it by default listening to the network ports, then it's listening, you my very well be right about downloading & compiling from the source at the project locations not listening on network ports. Redhat has spent a fair amount of time and thought toward keeping all this stuff off / local when it's installed, causing you to learn how to turn it on.=20 The complaint about Microsoft is that they really don't offer much in terms of packet filtering and nothing in terms of a tool to use the built-in packet filtering so to hang it out on the internet, you should probably purchase a professional firewall package, which many businesses are unwilling to do. They're like honey pots, much like the first redhat servers I put out, not realizing how vulnerable some of the open ports were. I found out in a hurry that you have block the ports used by BIND or you will get smoked. I'm not convinced that you can stay up to date enough with that service exposed to the internet. Reminds me of a situation that I recently had with a group of attorneys that I had for a client. They had a trial in Las Vegas and so I went up there and set up a network for their temporary office...using linux to create a vpn from their Scottsdale office to the Vegas war room. After I left, they wanted to do something different because I wouldn't put netbios on the internet for them to access from their apartments and only allowed them access via ftp, restricting vial firewall & /etc/hosts.allow/deny. They then turned to a Windows guy in Las Vegas who hung a Win2K server out on the internet. I tested it and found 52 ports open / compared to 2 ports on the linux box...nmap -O scan time about 40 seconds for the Win2K box and over 9 minutes for the linux box. I gagged and told them that they should just copy their hard drive and give it to their trial opponents rather than waste all the bandwidth allowing their opponents to grab it through the loose Windows computer naked on the internet. The guy 'tightened' it up and got it all the way down to 27 open ports. Thankfully, trial is over now. It isn't Microsoft's fault, they are leaving firewall / packet filter security to a 3rd party solution, I'm sure quite intentionally and it's bad for their reputation. Let's not forget, if linux gets too popular, there will be more effort made at exploitation. Craig