Thread: monitoring postgres

I subscribe to a server monitoring service that notifies me if any of my
public servers stop responding to periodic queries.

It has predefined functions for monitoring standard web facing services
such as ftp, telnet, http, https etc.  They also offer a custom function
for other services, which is what I need to use to monitor my postgres
servers.

They do a challenge and response type query where they send a specific
message on UDP or TCP port of my choosing and if they don't get the
response that I specify then they send me a page.

The problem is that I block traffic to my Postgres servers at the
Postgres level using a list of acceptable hosts that can connect to the
server.  I don't want to add their hosts to my server's allow list.

I'm not blocking them at the firewall, so they can see the server on
that port, but can anyone suggest a text string and expected response
that I can use to know that the server is OK?

--
Matthew Nuzum
www.bearfruit.org
cobalt@bearfruit.org

"Matthew Nuzum" <cobalt@bearfruit.org> writes:
> I'm not blocking them at the firewall, so they can see the server on
> that port, but can anyone suggest a text string and expected response
> that I can use to know that the server is OK?

I'd suggest sending a standard startup packet and looking for the
"you're not authorized" response.  Unfortunately, the startup packet
isn't pure text ... can they cope with sending a string containing
nulls?

            regards, tom lane

I don't know, I'll check.  Out of curiosity, can you send me an example
of the "standard startup packet"?  Or at least tell me where in the code
I can see it?

--
Matthew Nuzum
www.bearfruit.org
cobalt@bearfruit.org


> -----Original Message-----
> From: Tom Lane [mailto:tgl@sss.pgh.pa.us]
> Sent: Wednesday, January 29, 2003 11:49 AM
> To: Matthew Nuzum
> Cc: pgsql-general@postgresql.org
> Subject: Re: [GENERAL] monitoring postgres
>
> "Matthew Nuzum" <cobalt@bearfruit.org> writes:
> > I'm not blocking them at the firewall, so they can see the server on
> > that port, but can anyone suggest a text string and expected
response
> > that I can use to know that the server is OK?
>
> I'd suggest sending a standard startup packet and looking for the
> "you're not authorized" response.  Unfortunately, the startup packet
> isn't pure text ... can they cope with sending a string containing
> nulls?
>
>             regards, tom lane

"Matthew Nuzum" <cobalt@bearfruit.org> writes:
> I don't know, I'll check.  Out of curiosity, can you send me an example
> of the "standard startup packet"?  Or at least tell me where in the code
> I can see it?

Read the FE/BE protocol documentation in the developer's guide, or get
out tcpdump and watch some go by ;-)

            regards, tom lane

I may be overparanoid but I suggest you configure your firewall to not
allow postgresql and other services that your external users do not
absolutely _need_ to access. And then write an app for those absolutely
necessary ports to check the status of your postgresql servers.

Example:if external users MUST be able to browser your webserver, write a
small web app that checks the Client IP and if it's the monitoring service
(or your static IP), checks to see if your postgresql servers are running
fine, and returns a page depending whether they're all fine or not.

If it's not monitoring service's IP, return a different page without
checking the servers at all (this is to prevent people from DoSing your db
servers - doesn't stop them from DoSing your webserver but with a properly
configured webserver and webapp most sites would run out of bandwidth first).

An issue to watch out for: you might wish to use HTTPS or HTTP on a
different port instead of HTTP on port 80 because if there are transparent
HTTP caching proxies between them and your site, you could get the proxy
IPs and not the monitoring service's IP.

You could also write a simple custom network app that listens on a desired
port and displays an appropriate banner depending on the situation, it's
not too difficult but you might not want to do that - if you screw this app
up you could be introducing another vulnerability.

I'm not saying the postgresql is necessarily insecure, but I believe that
the developers typically have different priorities and perspectives. So it
is better to only expose things that are designed to be exposed to a
hostile environments.

Of course I could be wrong, and the Postgresql developers could have
designed and implemented Postgresql for hostile network environments.

Even if that is the case, you should still configure your firewall to only
allow the monitoring service access to your postgresql server. Because if
your monitoring service somehow makes 10000 concurrent connections to each
postgresql server you have decent options. Whereas if unknown hosts do that
I doubt your options are as good.

Hope this helps,
Link.

At 11:15 AM 1/29/03 -0500, Matthew Nuzum wrote:

>I subscribe to a server monitoring service that notifies me if any of my
>public servers stop responding to periodic queries.
>
>It has predefined functions for monitoring standard web facing services
>such as ftp, telnet, http, https etc.  They also offer a custom function
>for other services, which is what I need to use to monitor my postgres
>servers.
>
>They do a challenge and response type query where they send a specific
>message on UDP or TCP port of my choosing and if they don't get the
>response that I specify then they send me a page.
>
>The problem is that I block traffic to my Postgres servers at the
>Postgres level using a list of acceptable hosts that can connect to the
>server.  I don't want to add their hosts to my server's allow list.
>
>I'm not blocking them at the firewall, so they can see the server on
>that port, but can anyone suggest a text string and expected response
>that I can use to know that the server is OK?