>>>>> "Meirav" == Meirav Rath <meirav.rath@imperva.com> writes:
Meirav> host all postgres 0.0.0.0/0 trust
Never do this. (If you need non-password access for the postgres user,
then use "local all postgres peer", or a certificate-based method, or at
the _very least_ limit it to trusted IP addresses.)
Someone who can connect as the postgres user can load code into the
database remotely and run it, in addition to being able to see or modify
all your data. People _do_ get exploited this way (we see instances of
it reported on the IRC channel every once in a while); they find
themselves running DDoS bots or cryptocurrency miners or whatever else.
--
Andrew (irc:RhodiumToad)
