More than 3.6 million MySQL servers are publicly exposed on the internet, security researchers noted this week.
Shadow Server Foundation researchers reported that they simply issued a MySQL connection request on default port 3306 to see if a server responded with a MySQL Server Greeting, rather than intrusive requests that pentesters use to break into databases.
The results of their experiment were alarming:
- 67% of all MySQL services found are accessible from the internet
- 2,279,908 out of 3,957,457 servers responded with a greeting on IPV4
- 1,343,993 out of 1,421,010 servers responded with a greeting on IPV6
- The countries with the most accessible servers on IPV4 are the United States (740,100), China (296,300), Poland (207,800) and Germany (174,900)
- The countries with the most accessible servers on IPV6 are the United States (460,800), Netherlands (296,300), Singapore (218,200) and Germany (173,700)
In other words, most MySQL servers use default configurations and are thus prone to attacks, which can lead to serious incidents such as massive data breaches and thefts, stolen credentials, or lateral movement across networks.
It’s the kind of compromise that allows attackers to deliver malware, ransomware, or RATs (remote access Trojans), so users and administrators must secure their databases by monitoring the traffic and implementing authentication.
SQL (Structured Query Language) is the most popular language for managing data in relational databases. It’s particularly convenient for executing various queries, creating data schemes, manipulating records, and crosschecking data.
MySQL is a an open source relational database management system that runs as a server. Users and administrators use it to create databases and manage accesses. It’s quite easy to install with a couple of command lines like the following:
sudo yum install mysql-server && service mysqld start
Change MySQL Default Port
The big problem is that default configurations use port 3306 and will likely expose way more of the server than necessary. It’s not a big deal if you install it on your local machine to make some tests, but on live production websites, it extends the attack surface with vulnerabilities.
You should change that port number, for example, to 3333, and disallow external connections from the internet if you don’t need this feature, which represents most cases.
MySQL provides comprehensive guides like this one to deploy your MySQL instance securely. Ensure you read it carefully before putting your organization at unnecessarily high risk.
The Shadow Server Foundation report highlights a classic flaw in computer systems and web architectures. Don’t use default configurations unless you are testing something on your local machine. Live hosts are the first elements hackers will enumerate to prepare their strikes.
Read next: Top Database Security Solutions