On Wednesday 16 May 2007 3:36 pm, Phil Oxrud wrote: > I strongly disagree. It is a very bad idea to keep all of those ports open > to the public. It is much better to have a VPN link and then access the > server that way.
It's often infeasible to use VPNs, especially for remote teleworkers. Postgres comms are done over SSL, so the only thing that's really open is the Manager interface, which has read-only access anyway, but I agree with you in principle. > I set up trixbox at a midium sized company (120 people) and had it on its > own public IP. After 2 days it was rooted. I realized this when the machine > took down the network. That doesn't tell me anything, unfortunately. Rooted how? I had an associate who used the same SQL password as their root login and also used webmin. Webmin got compromised through a remote exploit (non-root), but since he used webmin to manage his SQL server, they went through the SQL logs and tried the SQL password as root. Presto! Again, no firewall will protect you in that scenario. A VPN would have helped, yes. -A.
