From: | Joe Conway <mail(at)joeconway(dot)com> |
---|---|
To: | "A(dot) Reichstadt" <lxr(at)me(dot)com>, pgsql-general(at)postgresql(dot)org |
Subject: | Re: How to deny access to Postgres when connected from host/non-local |
Date: | 2021-04-03 18:02:35 |
Message-ID: | b9947839-0178-1bb0-29c6-cd316ab6ea8d@joeconway.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On 4/2/21 7:06 PM, A. Reichstadt wrote:
> Hello,
>
> I try to deny access to all databases on my server if the user “postgres" tries
> to connect from a non-local host. Here is what I did in pg_hba.conf:
>
>
> # TYPE DATABASE USER ADDRESS METHOD
>
> # "local" is for Unix domain socket connections only
> local all all md5
> # IPv4 local connections:
> host all all 127.0.0.1/32 md5
> # IPv6 local connections:
> host all all ::1/128 md5
> # Allow replication connections from localhost, by a user with the
> # replication privilege.
> local replication all md5
> host replication all 127.0.0.1/32 md5
> host replication all ::1/128 md5
> host all all 0.0.0.0/0 md5
> local all postgres trust
> host all postgres 0.0.0.0/0 reject
>
>
> But it continues to allow for Postgres to connect from anywhere through PGAdmin
> but also as a direct connection to port 5432. I also relaunched the server. This
> is version 12.
>
> What else do I have to do?
>
> Thanks for any help.
See:
https://www.postgresql.org/docs/13/auth-pg-hba-conf.html
In particular:
"Each record specifies a connection type, a client IP
address range (if relevant for the connection type),
a database name, a user name, and the authentication
method to be used for connections matching these
parameters. The first record with a matching
connection type, client address, requested database,
and user name is used to perform authentication."
So your reject line is never being reached.
HTH,
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development
From | Date | Subject | |
---|---|---|---|
Next Message | Stephan Knauss | 2021-04-03 18:47:45 | Re: Debugging leaking memory in Postgresql 13.2/Postgis 3.1 |
Previous Message | Koen De Groote | 2021-04-03 17:37:12 | Re: Upgrading from 11 to 13 |