Re: MySQL Security Risk?
From: Brian C. Lane (bcl_at_marvin.home)
Date: 08/27/04
- Previous message: ynotssor: "Re: User Agents Analysis Report"
- In reply to: Jose Maria Lopez Hernandez: "Re: MySQL Security Risk?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 27 Aug 2004 03:02:17 -0000
In article <eGBWc.104990$r4.2688081@news-reader.eresmas.com>, Jose Maria Lopez Hernandez wrote:
> Neil wrote:
>> Hi All,
>>
>> I'd like to install MySQL and PHP onto my server that's hosted in a POP on
>> the internet. No i have no firewall on tha machine, but i only have the
>> SSH, FTP (chrooted, no real users) and APACHE services running. I trust
>> these services (rightly or wrongly).
>>
>> Now MySQL has been around for ages and i was wondering if it is secure
>> enough to run on an open server? I understand that you can limit access to
>> users at specific IP addresses, but is this service still vunerable to
>> attack?
>>
>> I'd greatly appreciate your views.
>>
>> Neil
>>
>>
>>
>
> In my penetration tests with nessus and some exploits it looks pretty
> strong. You should be more worried about Apache, that it's much more
> problematic. At least it's my point of view.
>
>
MySQL has had some pretty serious security problems in the past (I
seem to remember one where the password checking code used the length of
the supplied password to control the check...)
I would use iptables to block external access to port 3306 and if any
external apps need to access it you can setup a ssh tunnel from the remote
machine so that the connection is protected.
Brian
-- ---[Office 73.3F]--[Fridge 38.6F]---[Fozzy 93.5F]--[Coaster 73.2F]--- Linux Software Developer http://www.brianlane.com
- Previous message: ynotssor: "Re: User Agents Analysis Report"
- In reply to: Jose Maria Lopez Hernandez: "Re: MySQL Security Risk?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
