Re: WAS: MariaDB install any different for OpenBSD 7.5 than 6.4? NOW: 0.0.0.0 Exploit Impact OpenBSD?

On Sun, Sep 01, 2024 at 05:09:14PM -0400, David Colburn wrote:
> /I don't know if this is the correct way to fork this specific question from
> /
>
> /the prior thread but thought it might be of interest to others./
>
> *WAS*: MariaDB install any different for OpenBSD 7.5 than 6.4?
>
> *NOW*: 0.0.0.0 Exploit Impact OpenBSD?
>
> > > 3. Is this address the same as for the machine?
> > >
> > > e.g. "bind-address=192.168.50.xxx"?
> > >
> > >
> > > 3. That's the addresses where the server daemon will listen to for
> > > connections from clients. It has to be the address of one of the
> > > machine's interfaces. See previous messages on the thread, to decide
> > > whether you want it to listen on a loopback interface, or on an
> > > egress interface. Set this option to 0.0.0.0 to listen on all
> > > available interfaces.
>
> I was searching to learn about using a specific machine interface vs 0.0.0.0
>
> and came upon this from August 7, 2024 ...
>
> https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser
>
> Although they don't specifically mention OpenBSD is it correct that:
>
> A. Using 0.0.0.0 in my server settings may be less-secure?
>
> B. That in the near future it won't work at all?
>
> C. I'm misunderstanding the article and it's not relevant to my server
> setup?
>
> Thanks!

Will your database server receive connections from other machines? If
not, then this is irrelevant.

Having the server listening on an interface that other hosts on your
network can connect to will only be a security issue if you expect
someone on that network to be openly hostile. It depends on how much
you control/trust that network. And remember there is always pf, if you
want to narrow down the host that can connect to your machine.

My advice: don't overthink things. Make sure you keep things as simple
as possible, so that you entirely understand the mechanics of what you
have built. This will make it a lot easier when you need to change
things in the future.

Oh, and I cannot stress this enough: *document everything you do*. I
usually create a simple markdown file onto which I copy every command
issued, every change to a configuration file, etc, along with comments
explaining why you did it. (Apologies in advance if I sound
patronizing, it's just that you come across as being a bit inexperienced
in this kind of thing).


--