Do you allow remote MySQL access?

Do you allow remote MySQL access?

  • Yes

    Votes: 10 43.5%

  • No

    Votes: 13 56.5%

  • Not sure

    Votes: 0 0.0%
  • Total voters
    23
SoftDux-Rudi said:
The same could be said from FTP, POP3, SMTP, IMAP, etc which are all unsafe protocols.
Click to expand...

lol... WTF?

Dude, if someone hacks your FTP or Mail related ports, the worst damage they can do is to overwrite some files (or upload new ones) or send a couple of emails or what not. Easily restored and very easily secured (you need to be a total dumb-ass to not know how to secure those ports properly). If your FTP gets hacked and someone overwrites a few files. Awesome, just do a quick restore. But if someone ****s with your database... eina boet... that has a bit more of an implication on you (the host) and your client's data and time/effort going into backups and several other restore procedures required for databases.

I'm pretty sure you don't backup your databases every minute of every day, so you WILL LOSE data (especially if it's mission critical like e-commerce related) if your database gets hacked because you left the ports open. You will also lose credibility as a host for having to constantly restore data from an older backup each time... and trust me, restoration (and/or response time on restoring the data) is a son of a bitch.

But dude, why even ASK us these questions if you clearly made up your mind what you want to do, and have ill-informed opinions on other protocols on the internet... just go ahead and open the ports. It's a risk you're willing to take obviously and we're not saying anything bad WILL happen, but I know for a fact if a hot chick opens up her legs to me I won't hesitate to bump uglies... even just for fun. You get a lot of *******s out there wanting to destroy **** just cause they can. Opening yourself up to that is looking for trouble.

To give you a simple idea, RDP port was open on my server, and even though I followed security protocols regarding non-standard administrator logins etc, I got hammered by a brute force attack trying to crack my password (even though there was no chance in hell they could even guess the administrator username I was using). I simply made a call and closed the firewall to privileged IP's only and was done with it.

But anyway, like I said, you made up your mind. You obviously want to take the risk. Go for it. Just don't come crying to us because I'll certainly tell you "I told you so"
 
AcidRaZor said:
lol... WTF?

Dude, if someone hacks your FTP or Mail related ports, the worst damage they can do is to overwrite some files (or upload new ones) or send a couple of emails or what not. Easily restored and very easily secured (you need to be a total dumb-ass to not know how to secure those ports properly). If your FTP gets hacked and someone overwrites a few files. Awesome, just do a quick restore. But if someone ****s with your database... eina boet... that has a bit more of an implication on you (the host) and your client's data and time/effort going into backups and several other restore procedures required for databases.

I'm pretty sure you don't backup your databases every minute of every day, so you WILL LOSE data (especially if it's mission critical like e-commerce related) if your database gets hacked because you left the ports open. You will also lose credibility as a host for having to constantly restore data from an older backup each time... and trust me, restoration (and/or response time on restoring the data) is a son of a bitch.

But dude, why even ASK us these questions if you clearly made up your mind what you want to do, and have ill-informed opinions on other protocols on the internet... just go ahead and open the ports. It's a risk you're willing to take obviously and we're not saying anything bad WILL happen, but I know for a fact if a hot chick opens up her legs to me I won't hesitate to bump uglies... even just for fun. You get a lot of *******s out there wanting to destroy **** just cause they can. Opening yourself up to that is looking for trouble.

To give you a simple idea, RDP port was open on my server, and even though I followed security protocols regarding non-standard administrator logins etc, I got hammered by a brute force attack trying to crack my password (even though there was no chance in hell they could even guess the administrator username I was using). I simply made a call and closed the firewall to privileged IP's only and was done with it.

But anyway, like I said, you made up your mind. You obviously want to take the risk. Go for it. Just don't come crying to us because I'll certainly tell you "I told you so"
Click to expand...

heh, you clearly misread the whole thins. The main reason some people don't open up MySQL is cause the password is sent in clear text. The same with FTP, POP3, SMTP & IMAP (i.e. not FTPs, POP-over-SSL, SMTPs, IMAPs). So, in probably about 99% of all hacking / cracking cases if someone gets the SMTP / POP3 / FTP password (think about a client who quickly use an iCafe to upload his website changes via FTP and there's a keylogger installed, or he's got a trojan on his PC), then chances are the MySQL password would be the same one. You, and I, and maybe 10 other ubber geekz on this forum, might have a different MySQL password than an FTP password, and again another POP3 / SMTP password. Normal people who don't know too much about this but pays a developer to develop their sites use the same password on all of this since it's the same account (forget about your ubber secure server for a moment, I'm talking about shared hosting clients).

Besides, if a cracker got into FTP, then he got the MySQL password as well and will probably install a simply web based MySQL management script and cause the same problems. Or do you use some one-way authentication between your web application and MySQL server which isn't human readable once you set it up?

In a shared hosting environment (from a host's perspective), this is totally different from the WAMP / LAMP server you have at home. We have thousands of clients spread over thousands of servers. Can you imagine the support overhead it causes when we need to open up their IP every time a developer wants to work with Navicat, or even sync the DB to a backup / production server on a regular basis?






P.S. How old are you? You talk like a minor, so I take you post (advice?) with very little authority.
 
SoftDux-Rudi said:
why do you think they are safe protocols? If you raise this question then you probably have something to say about it?
Click to expand...

You have answered your own question, these protocols are safe. The least safe part is the authentication. This is very easily overcome with TLS or SSL but the actual authentication being sniffed is fairly unlikely. I have never once felt at risk over an authentication over in a non secure manner.
 
James said:
You have answered your own question, these protocols are safe. The least safe part is the authentication. This is very easily overcome with TLS or SSL but the actual authentication being sniffed is fairly unlikely. I have never once felt at risk over an authentication over in a non secure manner.
Click to expand...

but your initial reply made me think that they're safe in design, while they're. They're all plain-text-authentication type protocols. In context, Kloon's statement of full access to the database it void since the DB is normally stored in a PHP file accessible via FTP. So whether someone cracks the MySQL, FTP or STMP password doesn't make much difference since they're all plain text. That's what I was trying to bring across. SMTPs / FTPs is a different story, and once could possibly run MySQL over VPN, but that's a different ballgame altogether.
 
What I would do is lock down the account by default and offer only local host. When a new account is generated, add in a basic automated script that will give the user the to ability to have remote access and a disclaimer that if anything goes wrong it is their problem. That way the majority is locked down by default and considerably safer, all system accounts will have no exposure and only the accounts by choice will have external access. Just a thought
 
James said:
What I would do is lock down the account by default and offer only local host. When a new account is generated, add in a basic automated script that will give the user the to ability to have remote access and a disclaimer that if anything goes wrong it is their problem. That way the majority is locked down by default and considerably safer, all system accounts will have no exposure and only the accounts by choice will have external access. Just a thought
Click to expand...

cPanel already does it like that :)
But I still need to open the ports for it actually work, and wanted to know who else has opened the ports on a shared server & what issues arose from it. The kids, and ubber l33t geekz on this forum clearly don't have this kind of experience but I got some nice feedback from more mature forums elsewhere
 
I would be interested to know what the feedback you received was.
 
SoftDux-Rudi said:
heh, you clearly misread the whole thins. The main reason some people don't open up MySQL is cause the password is sent in clear text.
P.S. How old are you? You talk like a minor, so I take you post (advice?) with very little authority.
Click to expand...

Two things you need to learn:

a) I don't give a **** what you think of me or if you follow my advice or not, it's not my ass at the end of the day, it's yours. So if thousands upon thousands of clients lose their data. **** you. I tried steering you in the right direction from my experience in the last 10 years managing a dedicated server with a handful of websites on it and a shared server with several hundred websites on it. The shared server being the one people tried compromising most often due to its exposure to the internet.
b) You have no clue about security, it's your own ignorance not making you see this.

Yes, one of the reasons why you wouldn't want to open your database server (regardless of which server it is) is because of authentication. This is why I ****ing told you to use the api method and/or phpmyadmin. And as pointed out, you can use SSL to actually secure it more so that sniffers/trojans can't catch the dumb ******* accessing his mission critical data from an internet cafe or public computer. but not even that is secure enough and won't stop anyone from trying a brute force crack on your database server when the ports are open.

Any security specialist (and I know quite a few) would tell you that closing the ports is the only way of securing a machine, I think I remember someone saying "the most secure computer in the world is one that is not connected to anything"

I may talk like a minor with little authority, but **** you buddy, I don't give a **** (see a)... trying to help an illiterate trying to read and refusing said education keeping them illiterate... well I know when to stop wasting my time. And I can't believe people like you actually have a job where clients trusts your judgement in keeping their **** safe. (or get paid to do so)

Go take a security 101 class sometime *******
 
AcidRaZor said:
Two things you need to learn:

a) I don't give a **** what you think of me or if you follow my advice or not, it's not my ass at the end of the day, it's yours. So if thousands upon thousands of clients lose their data. **** you. I tried steering you in the right direction from my experience in the last 10 years managing a dedicated server with a handful of websites on it and a shared server with several hundred websites on it. The shared server being the one people tried compromising most often due to its exposure to the internet.
b) You have no clue about security, it's your own ignorance not making you see this.

Yes, one of the reasons why you wouldn't want to open your database server (regardless of which server it is) is because of authentication. This is why I ****ing told you to use the api method and/or phpmyadmin. And as pointed out, you can use SSL to actually secure it more so that sniffers/trojans can't catch the dumb ******* accessing his mission critical data from an internet cafe or public computer. but not even that is secure enough and won't stop anyone from trying a brute force crack on your database server when the ports are open.

Any security specialist (and I know quite a few) would tell you that closing the ports is the only way of securing a machine, I think I remember someone saying "the most secure computer in the world is one that is not connected to anything"

I may talk like a minor with little authority, but **** you buddy, I don't give a **** (see a)... trying to help an illiterate trying to read and refusing said education keeping them illiterate... well I know when to stop wasting my time. And I can't believe people like you actually have a job where clients trusts your judgement in keeping their **** safe. (or get paid to do so)

Go take a security 101 class sometime *******
Click to expand...


Wow, that's rich, and very mature. I'm glad I didn't follow your advise. i DON'T like being sworn at, especially not when I didn't even do anything to you. Do you swear at your clients like this? Do you tell them to go f**k themselves too? I really hope not. You arrogance might be tollorated on this forum, but in real life many people won't accept it. Just take it as a good business hint :)

P.S. This isn't a server at the bank, and when you reach a point where you manage 1000+ servers we'll talk again ;) I got some good sound advice from a few big USA hosting companies which far exceeds your paradigm.
 
Last edited:
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X