Re: Compromised postgresql instances

From: Andrew Gierth <andrew(at)tao11(dot)riddles(dot)org(dot)uk>
To: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Compromised postgresql instances
Date: 2018-06-09 07:27:43
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

>>>>> "Thomas" == Thomas Kellerer <spam_eater(at)gmx(dot)net> writes:

Thomas> And a blog post going into details on how that specific attack works.





FOR THE LOVE OF LITTLE APPLES, why, in an article as comprehensive as
this, did they not list in the "quick tips" at the end, the quickest and
most absolutely basic and essential tip of all, which is "don't open up
your database for superuser access from the whole world" ???

To become vulnerable to this attack, you have to do ALL of these:

- give your db a public IP
- allow access (or forget to prevent access) to it through any
- configure pg to listen on the public IP
- explicitly add an entry to pg_hba.conf that allows access from for all users or at least the postgres user
- AND have a guessable password on the postgres user or explicitly
use "trust" on the above hba entry


Andrew (irc:RhodiumToad)

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Andrew Dunstan 2018-06-09 12:36:01 Re: Compromised postgresql instances
Previous Message Fabien COELHO 2018-06-09 06:55:30 Re: [HACKERS] WIP Patch: Pgbench Serialization and deadlock errors