| From: | Andrew Gierth <andrew(at)tao11(dot)riddles(dot)org(dot)uk> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Compromised postgresql instances |
| Date: | 2018-06-09 07:27:43 |
| Message-ID: | 871sdgwijg.fsf@news-spur.riddles.org.uk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
>>>>> "Thomas" == Thomas Kellerer <spam_eater(at)gmx(dot)net> writes:
Thomas> And a blog post going into details on how that specific attack works.
*headdesk*
*headdesk*
*headdesk*
FOR THE LOVE OF LITTLE APPLES, why, in an article as comprehensive as
this, did they not list in the "quick tips" at the end, the quickest and
most absolutely basic and essential tip of all, which is "don't open up
your database for superuser access from the whole world" ???
To become vulnerable to this attack, you have to do ALL of these:
- give your db a public IP
- allow access (or forget to prevent access) to it through any
firewall
- configure pg to listen on the public IP
- explicitly add an entry to pg_hba.conf that allows access from
0.0.0.0/0 for all users or at least the postgres user
- AND have a guessable password on the postgres user or explicitly
use "trust" on the above hba entry
*headdesk*
--
Andrew (irc:RhodiumToad)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Dunstan | 2018-06-09 12:36:01 | Re: Compromised postgresql instances |
| Previous Message | Fabien COELHO | 2018-06-09 06:55:30 | Re: [HACKERS] WIP Patch: Pgbench Serialization and deadlock errors |