search

WoTTsecurity / wott-io

Website for WoTT.
https://wott.io
MIT License
1 stars 8 forks source link

Your MySQL instance may be publicly accessible #209

Open fshmcallister opened 4 years ago

fshmcallister commented 4 years ago

We detected that a MySQL instance on {devices} may be accessible remotely. Consider either blocking port 3306 through the WoTT firewall management tool, or re-configure MySQL to only listen on localhost.

part of #198

Menmarin commented 4 years ago

Title

Remote access on MySQL instance detected

TL;DR

We detected that a MySQL instance on {devices} may be accessible remotely. Consider either blocking port 3306 through the WoTT firewall management tool, or reconfigure MySQL to only listen on localhost.

FAQ

MySQL is a powerful database tool used by major corporations worldwide. Such a demand for this tool translates to a demand in attackers breaking into company databases to steal information that could be used to further attack the company (i.e. stealing high level employee details and thus logging into company websites/remote servers and stealing/corrupting company information). For this reason, it is imperative your MySQL instances are up to date with the latest security updates, but also that you do everything possible to limit the opportunities an attacker may have.

Allowing your MySQL instance to be remotely accessible is, in most cases, an unnecessary feature that should be closed. The vulnerabilities it opens up by leaving it open can be devastating. One such attack that is used on open ports is a DOS attack. If an attacker somehow was able to get their hands on login credentials from one of your employees, they could connect to your MySQL through remote access and it wouldn't be flagged as they logged in with the correct credentials. In addition, traffic over MySQL connections are not encrypted, therefore opening the avenue for an attacker to be listening/sniffing the data being transmitted from a remote host to the database.

Wott firewall management tool has a feature that allows you to block the port 3306, which is the port used by MySQL for remote access. Alternatively, you can reconfigure the MySQL configuration file to only listen on localhost. To do so, find your config file usually located at /etc/mysql/my.cnf and add or edit the following line:

bind-address=127.0.0.1

Please remember to restart your MySQL instance as this will not take effect without doing so.

vpetersson commented 4 years ago

I'm not happy with the FAQ version here. Please refactor this. There's too much fluff in that isn't relevant to the security.

fshmcallister commented 4 years ago

FAQ Rewrite proposal

MySQL remains one of the most, if not the most, popular Relational Database Management System for SQL written databases. As an open-source system, it remains a strong tool for developers to use in database design. By default, remote access is usually disabled. Allowing your MySQL instance to be remotely accessible can leave you unnecessarily vulnerable to attack by human error, such as unprotected remote login, and access via stolen credentials. Additionally, traffic over MySQL connections are not encrypted by default, therefore opening an avenue for an attacker to be listening/sniffing the data being transmitted from a remote host to the database.

WoTT's firewall management tool has a feature that allows you to block the port 3306, which is the port used by MySQL for remote access. Alternatively, you can reconfigure the MySQL configuration file to only listen on localhost. To do so, find your config file usually located at /etc/mysql/my.cnf and add or edit the following line:

bind-address=127.0.0.1

Please remember to restart your MySQL instance as this will not take effect until you do so.

vpetersson commented 4 years ago

traffic over MySQL connections are not encrypted

by default - it does support it. https://dev.mysql.com/doc/refman/5.7/en/encrypted-connections.html

fshmcallister commented 4 years ago

updated above

a-martynovich commented 4 years ago

@fshmcallister ?

fshmcallister commented 4 years ago

Title Remote access on MySQL/MariaDB instance detected

TL;DR We detected that a MySQL/MariaDB instance may be accessible remotely. Consider either blocking port 3306 through the WoTT firewall management tool, or reconfigure MySQL to only listen on localhost to prevent customer data leakage.

FAQ MySQL remains one of the most, if not the most, popular Relational Database Management System (RDMS) databases.

In most configurations, remote access is usually disabled. However, depending on the configuration and environment, it may be necessary to allow network access to your MySQL access (such as if you have other servers on the network talking to the server). In such instances, it is recommended that you configure a locked down firewall policy that only allows access from these servers. Failure to do so, may expose your MySQL server to the rogue actors on the internet, which may cause leakage of customer data.

WoTT's firewall management tool has a feature that allows you to block the port 3306, which is the port used by MySQL for remote access. If no network access is needed, we recommend that you can reconfigure the MySQL configuration file to only listen on localhost. To do so, find your config file usually located at `/etc/mysql/my.cnf` and add or edit the following line:

``` bind-address=127.0.0.1 ```

Please remember to restart your MySQL instance as this will not take effect until you do so.

Code Snippet

None at this time.