26

Who fucking leaves port 3306 open to the fucking internet? You're a medical practice too.

Comments
  • 6
    Who uses 0.0.0.0 or * for a bind address...

    Dumb.

    Even dumber when it's a local multi service setup, sockets for the win.

    But that would mean thinking about how things talk to each other and about things like least privilege and security....

    Ain't nobody got time for that.
  • 3
    Who even uses ports when it isn't meant to be accessible from other machines anyways?!

    Unix domain sockets exist.
  • 2
    Leaving a port open shouldn't matter whatsoever if you use strong authentication practices.

    Closing off the port is only recommended to beginners as a catch-all nuclear option because they know someone with a two year degree is gonna set up a MySQL database for someone with all privileges and make the password "MySQL123"
  • 1
    I do. It's routed to my RPi honeypot, with with root password set to pa$$w0rd and bandwidth restricted to 1kb/s.
  • 0
    What is special about that port?
  • 0
    I've connected to many servers on the mysql port but they all do hostname verification.

    Edit: would you forward it trough ssh or something?
  • 0
    @theKarlisK Doesn't really look like that question got much attention - neither negative nor positive: https://stackoverflow.com/questions...
  • 1
    @retoor from a security perspective, DNS resolution is an common enemy...
  • 0
    @theKarlisK which is why shit overflow and click bait cringe like medium should be banned . XD
  • 1
    @theKarlisK You are right. Somehow, tutorials and QA articles tend to just skip the most important part of programming. They always tell, how to make it do what it should - but no one seems to care about preventing it from doing what it it shouldn't. But that is more a general people issue - not one of StackOverflow, which i really like to go to because it often provides the best answer and crowd-curates the good stuff to the top. I often even skip the googling part and go straight to the appropriate StackExchange site - because that actually is where the quality answers are. Somehow the aggressive voting has the same effect like the toxic admin culture on Wikipedia: It somehow makes the site a great source of information...

    The real problem is people not getting, that a lot of information has a shelf life and that you still have to do your homework when using it.StackOverflow doesn't make you a programmer - but answers your very specific questions when you already are one.
  • 1
    Who leaves port 443 or 22 open and it's a medical practice too? Answer is is a valid service that can be secured. If possible it's better to limit the attack vectors but an open port is not necessarily a security hole.

    They may need to do this if there is not a VPN/SSH setup. Or an old fashioned client application that needs to connect to the database.
    This is fine as long as certificates and strong policies are used.

    Also if you only rely on your port not being accessible you are doing it wrong.
  • 0
    Hmmm I have a mailserver with various porta open to the internet, am I dumb?
  • 0
    A bit longer explanation...

    The most basic security is to let anything that doesn't need to be reachable from "outside" run on loopback.

    Because then it will *never* be reachable from the outside.

    Firewall Oopsie? Still not reachable.
    Unexpected Firewall bug? Still not reachable.

    It's as simple as that.

    Yes, there are certain services which need to be reachable from the outside.

    SSH and HTTP are a good example.

    But.. if you use e.g. Cloudflare or another "edge" thingamabob, you can configure FW to block all non CF IP ACLs and additionally set up in your local load balancer an ACL validating that the src IP is from CF.

    Redundancy is key. I had too many oopsies in my life to count.

    So much to security in regards of firewall / access .

    But there's another important aspect: Unencrypted data traffic.

    Which is the primary reason one should always at least bind to loopback.

    RDBMs / Redis / ... etc. send unencrypted data - unless you explicitly enable TLS. TLS means overhead.

    DNS checks for DNS based ACLs means overhead.

    TCP / IP instead of sockets means latency AND overhead.

    These 3 things are another reason why one should prefer loopback / sockets. It's the most direct communication available.

    I mentioned a few times bugs....

    Anyone remembers the MySQL 5.5 bug ala 100 times failed login and you're logged in successful...?

    https://bugs.mysql.com/bug.php/...

    These things aren't so rare...

    If you use a database connection via SSH, so SSH login via keybased auth only, then connect to 127.0.0.1... all these problems are gone.

    Data is encrypted. End to end.
    Authentication is centralized. Via authorized_keys.
    SSH isn't bugfree, but unless you really fuck up the config, it's unlikely to have such grave bugs.

    Centralizing auth is also good to prevent configuration oopsies...

    As you have to just configure one auth, not number of services * auth.
Add Comment