[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fw: [NOVICE] Couple of PostgreSQL Questions

To: "Klug" <members@xxxxxxxxxxxxxxxxxx>
Subject: Fw: [NOVICE] Couple of PostgreSQL Questions
From: "Richard Zimmerman" <Richard@xxxxxxxxxxxx>
Date: Thu, 5 Apr 2001 12:24:19 -0500
Organization: K&B Transport, Inc.
Reply-To: "Richard Zimmerman" <Richard@xxxxxxxxxxxx>

   I posted out my message this morning to the Postgesql-novice list. Below
is the actual message and it's reply. Basically in a nutshell:

1. There is no way to "hide" PostgreSQL port 5432 from prying eyes. If I
don't want the world to see it, move it to an internal network server.

2. I *CAN* set it up to accept local connections only and disallow all
others! (I've done this)

3. If I really wanted to be brutal about security I can even force passwords
on the psql command! (suggested as an option)

4. the postgresql.conf file is new for version 7.1.0+

Hopes some of this helps....

   Goose



----- Original Message -----
From: "Oliver Elphick" <olly@lfix.co.uk>
To: "Richard Zimmerman" <Richard@knbpower.com>
Sent: Thursday, April 05, 2001 12:04 PM
Subject: Re: [NOVICE] Couple of PostgreSQL Questions


> "Richard Zimmerman" wrote:
>   >Good day! I am new to this list and PostgeSQL for that matter. I've
messed
>   >with it (and php) a little and really like what I see so far. In the
past
>   >several months I've also been working on Linux system security.
>   >
>   >Question 1:
>   >
>   >   My Linux system serves as the "Internet" server in my office and
also
>   >hosts the PostgreSQL database. I want to "hide" PostgreSQL from my
external
>   >network card (eth1).
>   >
>   >eth0 = 192.168.0.2 (Internal)
>   >eth1 = 63.110.172.162 (external)
>   >
>   >In the config file /var/lib/pgsql/data/pg_hba.conf I have given it the
>   >following:
>   >
>   ><snip>
>   ># By default, allow anything over UNIX domain sockets and localhost.
>   >
>   >local        all                                            trust
>   >host         all         63.110.172.162 255.255.255.255     reject
>   >host         all         127.0.0.1      255.255.255.255     crypt
>   >host         all         192.168.0.0    255.255.255.0       crypt
>
> Presumably your eth1 is the gateway to the wide world?  If so, this
> will not work; it will only protect against eth1's own address, which is
> unlikely to initiate any connection.
>
> I suggest:
>   local        all                                            trust
>   host         all         127.0.0.1      255.0.0.0           trust
>   host         all         192.168.0.0    255.255.255.0       crypt
>   host         all         0.0.0.0        0.0.0.0             reject
>
> (I changed to trust on 127.0.0.1, since there is no point in passwording
> that if the UNIX socket has unrestricted access.  An alternative is
>
>   local        all                                       password
>   host         all         127.0.0.1      255.0.0.0      ident sameuser
>
> which will only allow users to connect with their Unix identity through
> localhost; you can't enforce that on the UNIX socket connection since
> there is no way for the _backend_ to find out which unix user is at the
> other end of the socket.)
>
>   >   As a stop gap measure, I have also setup firewall rules (ipchains)
to
>   >block connections coming from my External Network card (eth1) to port
5432.
>   >Is there a better way to config PostgreSQL so that it NEVER show up on
an
>   >Nmap scan of the External Network card?
>   >
>   >Question 2:
>   >
>   >   I have been reading in the doc's about the PostgreSQL.conf file. I
>   >installed my copy of PostgreSQL from RedHat 7.0 .rpm files:
>   >
>   >Postgresql-7.0.2-17
>   >Postgresql-server-7.0.2-17
>   >Postgresql-devel-7.0.2-17
>   >
>   >   I don't seem to have an PostgreSQL.conf file. Is it safe to create
one in
>   >/var/lib/pgsql/data or is there a specific place it needs to go? More
>   >importantly,
>   >*IS* it even needed?
>
> postgresql.conf is new in 7.1
>
>   >   Any help with these issues is greatly appreciated. I ran these
questions
>   >by the gurus on out local LUG (Kalamazoo Linux Users Group) with
several of
>   >them being veteran PostgreSQL users and they were also clueless as to
how to
>   >"Hide" the server.
>
> It won't actually hide it, but it will reject connections.
>
> --
> Oliver Elphick                                Oliver.Elphick@lfix.co.uk
> Isle of Wight                              http://www.lfix.co.uk/oliver
> PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47  6B 7E 39 CC 56 E4 C1 47
> GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839  932A 614D 4C34 3E1D 0C1C
>                  ========================================
>      "My dear brothers, take note of this: Everyone should
>       be quick to listen, slow to speak and slow to become
>       angry, for man's anger does not bring about the
>       righteous life that God desires."  James 1:19,20
>
>
>

Follow-Ups:
- Re:[NOVICE] Couple of PostgreSQL Questions
  - From: Adam Tauno Williams

Prev by Date: Unix resource
Next by Date: Re:[NOVICE] Couple of PostgreSQL Questions
Prev by thread: Unix resource
Next by thread: Re:[NOVICE] Couple of PostgreSQL Questions
Index(es):
- Date
- Thread