FAQ: Security scan flags Firebird 'sysdba' password

Question: After installing or upgrading to RPM 6.0, a security scanner reports that the Firebird service is accessible using the default password. Can the default password be changed?

Answer: The default 'sysdba' password is only needed during initial RPM installation or while performing certain necessary database maintenance tasks.  There are multiple ways to resolve the issue, so your security scanner no longer complains.

Option 1: The least intrusive way to prevent your security scanner from finding this is to configure Firebird to listen on the local address only.  This allows RPM to use Firebird while not allowing any outside connections.  To do so, open the firebird.conf file and locate the line beginning with "#RemoteBindAddress =. "  Next, clear the comment character (#) at the beginning of the line and add 127.0.0.1 at the end, so it looks like the following, and restart the Firebird service.

RemoteBindAddress = 127.0.0.1

Option 2: Another way to secure Firebird against remote access is to remove the Firebird SQL Server firewall exception created during installation.  To do so, follow these steps.

  1. Open Control Panel.  Search for Firewall and click Windows Firewall.  Alternatively, click System and Security, then Windows Firewall.
  2. In the left menu, click Allow an app or feature through Windows Firewall.
  3. If User Account Control is in effect, click Change Settings.
  4. Locate and highlight Firebird SQL Server in the list and click the Remove button.  Confirm that you want the exception to be removed.  You may also temporarily remove the checks from each network type: Domain, Private, and Public. However, doing so may not be possible, in which case you must remove it and then recreate it if necessary.

Note: Regarding options 1 and 2, if you use the RPM GUI to access a remote RPM server, these options will obviously prevent that from working.  Also, if the security scanner and RPM are on the same computer, your security scanner will continue to flag Firebird as being vulnerable.

Option 3: Another security measure we recommend as a last resort is to actually change the 'sysdba' password.  To do so, follow these steps.

  1. Open a command prompt by choosing Run from the Windows Start menu, typing cmd.exe, and pressing OK.
  2. Run the following command: "C:\Program Files\Firebird\Firebird_2_5\bin\gsec.exe" -user sysdba -password masterkey -mo sysdba -pw NewPass1
    Note that you will be prompted for the password during all future upgrades and will need it for database maintenance. Therefore, it might be a good idea to edit the fixdb.bat and shrinkdb.bat files in the RPM install folder and replace masterkey with your new password.
  3. Rerun your security scan and verify the issue is no longer reported.

Things to be aware of during or after changing the password.

  • The text following -mo is the username of the account you wish to modify, and following -pw should be the new password.
  • Firebird may exist in a different location, so please specify the correct path to the gsec.exe file.
  • Be sure to substitute the new password where appropriate.
  • The username is not case-sensitive.
  • The new password can only be a maximum of 8 characters.  Entering a password greater than 8 characters will work, but the new password will be only the first 8 characters of what you entered.
  • The Repair Database option will no longer work if you change the sysdba password.
  • The fixdb.bat and shrinkdb.bat scripts installed with RPM will no longer work if you opt for this option as they use the default sysdba password.  You will need to perform the necessary maintenance manually or update these scripts with the new password.

Note: While RPM doesn't use the default 'sysdba' password except during installation, changing it may create a problem for the next system administrator or prevent them from performing database maintenance or other database-related tasks and result in the loss of your configuration.