more downtime: this time drupal.org’s database can’t take any more connections
Seems like I’m running into problems on the Web everywhere I go. Over the weekend it was an Amazon S3 failure that took down several sites. Yesterday it was Facebook’s redirection loop that made the site inaccessible for roughly an hour. Today it’s the Drupal Web site, which seems to be experiencing a problem with an overloaded MySQL database. I hope the good folks behind Drupal.org can fix the problem soon — this doesn’t help the organization defend claims that Drupal is resource-intensive and hard to scale.
As for the error message itself, it’s particularly troubling that the error message tells you:
- the type of database
- the name of the database user
- the hostname for the database server
Granted, you probably could have guessed that Drupal.org was running on a MySQL database, but now everyone has three of the four pieces of information you need to access the database and a hacker can focus on guessing the last piece: the password.
There are two things that can be learned here: First, your Web application error messages shouldn’t reveal any details to anonymous users about the underlying system. All your site visitors need to know in a case like this is that there was an internal error that makes the site inaccessible for the time being. And secondly, limiting your database connections to specific IP addresses can add an extra layer of security even if the other info gets out (which Drupal.org may well have done.)
My name is Amit Asaravala. I'm an Internet technologies consultant & Web developer located in the San Francisco Bay Area. I specialize in helping organizations build great Web sites on open source technologies.
