FYI: Password flaw leaves MySQL, MariaDB open to brute force attack

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

FYI: Password flaw leaves MySQL, MariaDB open to brute force attack

Jonathan Guthrie-3
Password flaw leaves MySQL, MariaDB open to brute force attack
http://www.theregister.co.uk/2012/06/11/mysql_mariadb_password_flaw/

A basic flaw in the password software used by MySQL and MariaDB allows a brute-force attack to bag the password and gain full root access in a few seconds, according to details published by security researchers.

...
OK, so I'll repeat some of what I said at my LDC presentation on security:
Reduce your attack vectors.
        - Do NOT have port 3306 open to the world.
If you have a hardware firewall, use it.
        - If you don't have a hardware firewall in front of your servers, get one.
        - If you don't know about hardware firewalls, ask about it.
Even though you have a hardware firewall, use your host OS's built in firewall.

And, update your MySQL to a safe version.
For example, on Ubuntu 12.04 MySQL 5.5.24 is available and it looks like that's patched according to the article, although I will be looking to confirm.

Jono

----------------------------
Jonathan Guthrie
[hidden email]
LassoSoft Inc.
+1 888-286-7753 ext 708

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: FYI: Password flaw leaves MySQL, MariaDB open to brute force attack

John Morris-3
So... what is decent and decently priced hardware firewall?
We are only using software ones.

 - John Morris

On Jun 11, 2012, at 10:55 PM, Jonathan Guthrie wrote:

> Password flaw leaves MySQL, MariaDB open to brute force attack
> http://www.theregister.co.uk/2012/06/11/mysql_mariadb_password_flaw/
>
> A basic flaw in the password software used by MySQL and MariaDB allows a brute-force attack to bag the password and gain full root access in a few seconds, according to details published by security researchers.
>
> ...
> OK, so I'll repeat some of what I said at my LDC presentation on security:
> Reduce your attack vectors.
> - Do NOT have port 3306 open to the world.
> If you have a hardware firewall, use it.
> - If you don't have a hardware firewall in front of your servers, get one.
> - If you don't know about hardware firewalls, ask about it.
> Even though you have a hardware firewall, use your host OS's built in firewall.
>
> And, update your MySQL to a safe version.
> For example, on Ubuntu 12.04 MySQL 5.5.24 is available and it looks like that's patched according to the article, although I will be looking to confirm.
>
> Jono
>
> ----------------------------
> Jonathan Guthrie
> [hidden email]
> LassoSoft Inc.
> +1 888-286-7753 ext 708
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list Lasso
> [hidden email]
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: FYI: Password flaw leaves MySQL, MariaDB open to brute force attack

Marc Pope-2
Vyatta is a good one. It's runs on any pc hardware and free. They have commercial versions.

For all in one easy to use solution id recommend SonicWalls.

Marc



On Jun 12, 2012, at 12:39 PM, John Morris <[hidden email]> wrote:

> So... what is decent and decently priced hardware firewall?
> We are only using software ones.
>
> - John Morris
>
> On Jun 11, 2012, at 10:55 PM, Jonathan Guthrie wrote:
>
>> Password flaw leaves MySQL, MariaDB open to brute force attack
>> http://www.theregister.co.uk/2012/06/11/mysql_mariadb_password_flaw/
>>
>> A basic flaw in the password software used by MySQL and MariaDB allows a brute-force attack to bag the password and gain full root access in a few seconds, according to details published by security researchers.
>>
>> ...
>> OK, so I'll repeat some of what I said at my LDC presentation on security:
>> Reduce your attack vectors.
>>    - Do NOT have port 3306 open to the world.
>> If you have a hardware firewall, use it.
>>    - If you don't have a hardware firewall in front of your servers, get one.
>>    - If you don't know about hardware firewalls, ask about it.
>> Even though you have a hardware firewall, use your host OS's built in firewall.
>>
>> And, update your MySQL to a safe version.
>> For example, on Ubuntu 12.04 MySQL 5.5.24 is available and it looks like that's patched according to the article, although I will be looking to confirm.
>>
>> Jono
>>
>> ----------------------------
>> Jonathan Guthrie
>> [hidden email]
>> LassoSoft Inc.
>> +1 888-286-7753 ext 708
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso
>> [hidden email]
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list Lasso
> [hidden email]
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: FYI: Password flaw leaves MySQL, MariaDB open to brute force attack

Jonathan Guthrie-3
In reply to this post by John Morris-3
Juniper in the upper range, Zyxel in the midrange (had good success with the ZyWall range in the past), and Sonicwall at the cheaper end.

FWIW I do not suggest you cut corners with firewalls, don't by something cheap just because it's cheap.


On 2012-06-12, at 12:39 PM, John Morris wrote:

> So... what is decent and decently priced hardware firewall?
> We are only using software ones.

Jono

----------------------------
Jonathan Guthrie
[hidden email]
LassoSoft Inc.
+1 888-286-7753 ext 708

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: FYI: Password flaw leaves MySQL, MariaDB open to brute force attack

Ke Carlton-3
In reply to this post by Marc Pope-2
+1 for Sonicwalls — great value for money.

On 12 June 2012 17:45, Marc Pope <[hidden email]> wrote:
> Vyatta is a good one. It's runs on any pc hardware and free. They have commercial versions.
>
> For all in one easy to use solution id recommend SonicWalls.
>
> Marc
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: FYI: Password flaw leaves MySQL, MariaDB open to brute force attack

Carl Ketterling
In reply to this post by Marc Pope-2
I *really* like pfSense.  It's similar to Vyatta, but I think it's
easier to use/maintain.

Carl

In response to this text from Marc Pope ([hidden email]) sent on
Tuesday, June 12, 2012 at 12:45 PM (-0400):

>Vyatta is a good one. It's runs on any pc hardware and free. They have
>commercial versions.
>
>For all in one easy to use solution id recommend SonicWalls.
>
>Marc
>
>
>
>On Jun 12, 2012, at 12:39 PM, John Morris <[hidden email]>
>wrote:
>
>> So... what is decent and decently priced hardware firewall?
>> We are only using software ones.
>>
>> - John Morris
>>
>> On Jun 11, 2012, at 10:55 PM, Jonathan Guthrie wrote:
>>
>>> Password flaw leaves MySQL, MariaDB open to brute force attack
>>> http://www.theregister.co.uk/2012/06/11/mysql_mariadb_password_flaw/
>>>
>>> A basic flaw in the password software used by MySQL and MariaDB
>allows a brute-force attack to bag the password and gain full root
>access in a few seconds, according to details published by security
>researchers.
>>>
>>> ...
>>> OK, so I'll repeat some of what I said at my LDC presentation on security:
>>> Reduce your attack vectors.
>>>    - Do NOT have port 3306 open to the world.
>>> If you have a hardware firewall, use it.
>>>    - If you don't have a hardware firewall in front of your servers,
>get one.
>>>    - If you don't know about hardware firewalls, ask about it.
>>> Even though you have a hardware firewall, use your host OS's built in
>firewall.
>>>
>>> And, update your MySQL to a safe version.
>>> For example, on Ubuntu 12.04 MySQL 5.5.24 is available and it looks
>like that's patched according to the article, although I will be looking
>to confirm.
>>>
>>> Jono
>>>
>>> ----------------------------
>>> Jonathan Guthrie
>>> [hidden email]
>>> LassoSoft Inc.
>>> +1 888-286-7753 ext 708
>>>
>>> #############################################################
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso
>>> [hidden email]
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>>  the mailing list Lasso
>> [hidden email]
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>#############################################################
>This message is sent to you because you are subscribed to
>  the mailing list Lasso
>[hidden email]
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>


#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: FYI: Password flaw leaves MySQL, MariaDB open to brute force attack

Wade Maxfield
On 13/06/2012, at 4:53 AM, Carl Ketterling wrote:

> I *really* like pfSense.  It's similar to Vyatta, but I think it's
> easier to use/maintain.

I haven't any experience with current hardware firewalls or Vyatta, but I've been using pfSense for the last few years and it's been working great. Running on an older rack mount Athlon64 X2 it doesn't break a sweat and runs on nearly anything so you can always download it and play with it for a while on whatever PC you have lying around. You just need a second ethernet port/card.

 - Wade


#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>