Postgres Pro
Downloads
Home   >   mailing lists

Thread: Couple of PostgreSQL Questions

Couple of PostgreSQL Questions

From
"Richard Zimmerman"
Date:
Good day! I am new to this list and PostgeSQL for that matter. I've messed
with it (and php) a little and really like what I see so far. In the past
several months I've also been working on Linux system security.

Question 1:

   My Linux system serves as the "Internet" server in my office and also
hosts the PostgreSQL database. I want to "hide" PostgreSQL from my external
network card (eth1).

eth0 = 192.168.0.2 (Internal)
eth1 = 63.110.172.162 (external)

In the config file /var/lib/pgsql/data/pg_hba.conf I have given it the
following:

<snip>
# By default, allow anything over UNIX domain sockets and localhost.

local        all                                            trust
host         all         63.110.172.162 255.255.255.255     reject
host         all         127.0.0.1      255.255.255.255     crypt
host         all         192.168.0.0    255.255.255.0       crypt

   As a stop gap measure, I have also setup firewall rules (ipchains) to
block connections coming from my External Network card (eth1) to port 5432.
Is there a better way to config PostgreSQL so that it NEVER show up on an
Nmap scan of the External Network card?

Question 2:

   I have been reading in the doc's about the PostgreSQL.conf file. I
installed my copy of PostgreSQL from RedHat 7.0 .rpm files:

Postgresql-7.0.2-17
Postgresql-server-7.0.2-17
Postgresql-devel-7.0.2-17

   I don't seem to have an PostgreSQL.conf file. Is it safe to create one in
/var/lib/pgsql/data or is there a specific place it needs to go? More
importantly,
*IS* it even needed?

   Any help with these issues is greatly appreciated. I ran these questions
by the gurus on out local LUG (Kalamazoo Linux Users Group) with several of
them being veteran PostgreSQL users and they were also clueless as to how to
"Hide" the server.

   Thank you in advance for any suggestions, comments, etc.

   Richard

Richard Zimmerman                                     Richard@knbpower.com
Information Systems Manager                      ke4rit@earthlink.net
K&B Transport, Inc.
Elkhart, Indiana                     Advanced SKYWARN weather spotter

Support Operation Lifesaver
www.oli.org

Re: Couple of PostgreSQL Questions

From
Tom Lane
Date:
"Richard Zimmerman" <Richard@knbpower.com> writes:
>    My Linux system serves as the "Internet" server in my office and also
> hosts the PostgreSQL database. I want to "hide" PostgreSQL from my external
> network card (eth1).

> eth0 = 192.168.0.2 (Internal)
> eth1 = 63.110.172.162 (external)

In 7.1 it is possible to tell the postmaster to bind its socket to only
one IP address, rather than all the machine's IP addresses.  That should
solve your problem.  However, I don't really think you need to worry
all that much, given that you have pg_hba.conf set up not to accept
connections from anyplace except local addresses.

> local        all                                            trust
> host         all         63.110.172.162 255.255.255.255     reject
> host         all         127.0.0.1      255.255.255.255     crypt
> host         all         192.168.0.0    255.255.255.0       crypt

That "reject" line is pretty much a waste of time, because it only
rejects connections that originate from your own machine; the comparison
is against the client address not the server address.  The important
thing for security is that you're not accepting connections from just
any old IP address, but only the ones on your local LAN.  So, even
though an outside port-scanner might be able to see your port
responding, he's not going to get in.

But, having said that, a firewall rule to drop outside-to-5432 packets
entirely is also a good idea.

            regards, tom lane