Friday, January 28, 2005

MySQL worm?

Builder.AU has an article about a "new" worm that is causing MySQL servers to join a botnet. This shouldn't happen, available patch or no available patch.

If you have MySQL, it's likely that you're running a variant of Linux or *BSD. If you have those, you also have some form of packet filter (iptables, ipfw, ipchains, etc.). Can you think of a valid reason why the entire world needs direct access to a MySQL server? At most, maybe one or two other machines would need the access.

This goes back to securing your network, whether it's an internal or an external network. With just about all *nix machines, you can write filters on each of the boxes that limit access to services. You should write the filters so that there are only the "normal" users of the system can access them. (Example: only your postmaster should need SSH access to your mail server(s).) Everyone else (in your network) gets only port 25 access.)

It's not perfect but it will keep things like MySpool from occuring.