| From: | Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com> |
|---|---|
| To: | Andrew Gierth <andrew(at)tao11(dot)riddles(dot)org(dot)uk>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Compromised postgresql instances |
| Date: | 2018-06-09 12:36:01 |
| Message-ID: | ce516224-0c26-2eae-1976-897f40a77375@2ndQuadrant.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 06/09/2018 03:27 AM, Andrew Gierth wrote:
>>>>>> "Thomas" == Thomas Kellerer <spam_eater(at)gmx(dot)net> writes:
> Thomas> And a blog post going into details on how that specific attack works.
>
> Thomas> https://www.imperva.com/blog/2018/03/deep-dive-database-attacks-scarlett-johanssons-picture-used-for-crypto-mining-on-postgre-database/
>
> *headdesk*
>
> *headdesk*
>
> *headdesk*
>
> FOR THE LOVE OF LITTLE APPLES, why, in an article as comprehensive as
> this, did they not list in the "quick tips" at the end, the quickest and
> most absolutely basic and essential tip of all, which is "don't open up
> your database for superuser access from the whole world" ???
>
> To become vulnerable to this attack, you have to do ALL of these:
>
> - give your db a public IP
> - allow access (or forget to prevent access) to it through any
> firewall
> - configure pg to listen on the public IP
> - explicitly add an entry to pg_hba.conf that allows access from
> 0.0.0.0/0 for all users or at least the postgres user
> - AND have a guessable password on the postgres user or explicitly
> use "trust" on the above hba entry
>
> *headdesk*
>
Against stupidity the Gods themselves contend in vain.
cheers
andrew
--
Andrew Dunstan https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Simon Riggs | 2018-06-09 13:00:36 | Re: hot_standby_feedback vs excludeVacuum and snapshots |
| Previous Message | Andrew Gierth | 2018-06-09 07:27:43 | Re: Compromised postgresql instances |