Thread: Couple of PostgreSQL Questions
Good day! I am new to this list and PostgeSQL for that matter. I've messed with it (and php) a little and really like what I see so far. In the past several months I've also been working on Linux system security. Question 1: My Linux system serves as the "Internet" server in my office and also hosts the PostgreSQL database. I want to "hide" PostgreSQL from my external network card (eth1). eth0 = 192.168.0.2 (Internal) eth1 = 63.110.172.162 (external) In the config file /var/lib/pgsql/data/pg_hba.conf I have given it the following: <snip> # By default, allow anything over UNIX domain sockets and localhost. local all trust host all 63.110.172.162 255.255.255.255 reject host all 127.0.0.1 255.255.255.255 crypt host all 192.168.0.0 255.255.255.0 crypt As a stop gap measure, I have also setup firewall rules (ipchains) to block connections coming from my External Network card (eth1) to port 5432. Is there a better way to config PostgreSQL so that it NEVER show up on an Nmap scan of the External Network card? Question 2: I have been reading in the doc's about the PostgreSQL.conf file. I installed my copy of PostgreSQL from RedHat 7.0 .rpm files: Postgresql-7.0.2-17 Postgresql-server-7.0.2-17 Postgresql-devel-7.0.2-17 I don't seem to have an PostgreSQL.conf file. Is it safe to create one in /var/lib/pgsql/data or is there a specific place it needs to go? More importantly, *IS* it even needed? Any help with these issues is greatly appreciated. I ran these questions by the gurus on out local LUG (Kalamazoo Linux Users Group) with several of them being veteran PostgreSQL users and they were also clueless as to how to "Hide" the server. Thank you in advance for any suggestions, comments, etc. Richard Richard Zimmerman Richard@knbpower.com Information Systems Manager ke4rit@earthlink.net K&B Transport, Inc. Elkhart, Indiana Advanced SKYWARN weather spotter Support Operation Lifesaver www.oli.org
"Richard Zimmerman" <Richard@knbpower.com> writes: > My Linux system serves as the "Internet" server in my office and also > hosts the PostgreSQL database. I want to "hide" PostgreSQL from my external > network card (eth1). > eth0 = 192.168.0.2 (Internal) > eth1 = 63.110.172.162 (external) In 7.1 it is possible to tell the postmaster to bind its socket to only one IP address, rather than all the machine's IP addresses. That should solve your problem. However, I don't really think you need to worry all that much, given that you have pg_hba.conf set up not to accept connections from anyplace except local addresses. > local all trust > host all 63.110.172.162 255.255.255.255 reject > host all 127.0.0.1 255.255.255.255 crypt > host all 192.168.0.0 255.255.255.0 crypt That "reject" line is pretty much a waste of time, because it only rejects connections that originate from your own machine; the comparison is against the client address not the server address. The important thing for security is that you're not accepting connections from just any old IP address, but only the ones on your local LAN. So, even though an outside port-scanner might be able to see your port responding, he's not going to get in. But, having said that, a firewall rule to drop outside-to-5432 packets entirely is also a good idea. regards, tom lane