| From: | Craig James <craig_james(at)emolecules(dot)com> |
|---|---|
| To: | pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: Securing a remotely accessible PostgreSQL server |
| Date: | 2010-12-23 00:05:56 |
| Message-ID: | 4D129264.2010701@emolecules.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
> Josh<josh(at)saucetel(dot)com> wrote:
>
> I am looking for suggestions on how best to secure a server that
> is accessible via the internet. Even account creation for the
> database is open to the world. Does anybody have any extra changes
> they would make to postgresql.conf or OS changes they would
> suggest? Perhaps some default permissions that would be best
> revoked?
>
> The system setup is currently a Linux box running PostgreSQL 8.4
> My pg_hba.conf already limits remote connections to one database
> and one particular role.
You don't give any details about your users or how/why they need this access so it's hard to give good advice. But one possibility is to use SSH tunneling, so that your users have to log in to your server first using a protocol that's pretty secure.
ssh -L5432:localhost:5432 user(at)host(dot)com
Then the user connects locally instead of directly. On the user's computer:
psql -h localhost dbname
We've used this technique when a developer had to work from a remote location. There is no direct access to Postgres at all, yet you can work remotely and securely.
Craig
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Snoop | 2010-12-23 00:12:39 | Re: PostgreSQL in Shared Disk Failover mode on FreeBSD+CARP+RAIDZ |
| Previous Message | Scott Marlowe | 2010-12-22 22:38:49 | Re: Securing a remotely accessible PostgreSQL server |