> Well if all of this true, it /should/ be possible to have a secured DB > access system by using all of these: > 1. Non-standard access port
That simply requires an attacker to find out what ports are being used, which is usually not difficult. > 2. Non-standard user names > 3. Enforced strong passwords that change periodically Those would both help, certainly, but by themselves would probably not be sufficient. > 4. Secured tunnel access (SSH, SSL, etc.) That would secure access to the database to a sufficient degree for most uses, as long as access can't be gained through brute-force attacks. > 5. Any other security practices I'm forgetting One of those "other security practices" is, don't allow direct access to your database. > A few folks in this thread have mentioned 'big name' ISPs that allow > remote DB administration, so it must not be considered a big security > risk. Either that, or money talks! ;) I would go with "money talks", actually. There are a lot of reasons why they allow it, I'm sure. First of all, most shared hosting customers are probably not that concerned with security. Most probably don't have sensitive data. Most would rather be able to connect to their database server. It's ok to value convenience over security, as long as you're aware of the trade-off you're making. Second, the security concerns of you and your ISP may differ somewhat. Your ISP is probably more concerned that their servers will be rooted. You may be more concerned about the integrity of your data. Granting remote access to your database may not be a security issue for your ISP, even if it is for you - this would depend on how the database server itself is configured. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:224372 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
