8 Crucial Tips for Hardening PostgreSQL 14.4 servers in 2022

\
Slonik, the PostgreSQL mascot posing in the PostgreSQL logo, 2022

Many think of PostgreSQL as the most sophisticated open source database in the world.

As of July 13th, 2022, there are 135 security flaws reported to the CVE database.

Recent vulnerability findings for PostgreSQL from cvedetails.com

This means that, without proper configuration and maintenance, PostgreSQL can be exploitable.

\
The popular object-relational database has better out-of-the-box security configurations than other databases. However, proper precautions are still needed to safeguard web applications and underlying data.

Here are 8 essential measures you can take to protect your PostgreSQL server.

1. Check for Important Security Updates and Patches often

This is a PCI-DSS obligation if you run a PostgreSQL based web app with credit card information.

It is also a good rule of thumb for all software systems. You can handle this by checking PostgreSQL’s information security page or referencing the CIS Benchmark v1.0.0 for Postgres 14 here.

They’ll post major security updates and patches there. You can also use a tool to check for available updates.

If you are on Ubuntu, “unattended-packages” can manage security updates for you.

WSUS running on Windows Server 2016

In Windows you can use WSUS or InTune to manage and deploy update rings on your behalf.

2. Block Connections From Networks Where Database Access Is Not Required.

PostgreSQL will refuse connection requests from other servers if listen_addresses set to localhost.

This will shield the database and underpinning data structures from unauthorized access.

3. Control PostgreSQL Database Port-Level Access.

The database and management ports should be the only ports with access to the server. Lock down any extra ports that permit network access to the database.

4. Think about disabling PostgreSQL remote access.

By itself, this eliminates a large number of important attack vectors. Once more, you can change this in pg_hba.conf. Do you or your engineers still need remote access to the database? SSH to the server instead and then use a local connection. A different option is to configure SSH tunnel access to PostgreSQL. That allows client machines to access remote databases as if they were local.

\
Encryption in action

5.When encrypting values that don’t need decryption, use hash-based column encryption.

Hash-based encryption techniques like MD5 are one-way and you can’t decrypt them. Encryption methods like AES are two-way and you can decrypt them. Only use one-way encryption for values that have you have to compare for a match, like passwords. This adds an extra layer of security if hackers compromise your table information.

Give Each Application a Specific Role.

Create a new user and assign the proper permissions. In doing so, you increase the level of security to keep users and data apart. You should do this for each new application using the PostgreSQL database.

\
PGWatch visualization of PostgreSQL metrics in Grafana

Configure proper database query monitoring and logging.

By enabling query tracking for your database, you improve your audit trail. This makes it easier to locate offenders in the event of an error or compromise. Install the pgstatstatements extension first. Make sure that you turn on monitoring for any and all query types (SELECT, INSERT, UPDATE, DELETE).

Test “base backups” configuration and recoverability.

Create standby hosts with Point In Time Recovery (PITR) mechanisms to use “base backups”. These are copies of the primary host’s data cluster. You should always transfer “base backups” over networks using an encoded transport method. You can use the PostgreSQL CLI function pg_basebackup. On the server, you must enable TLS encryption. You can also make a “base backup” by using the pgBackRest tool.

Do you need help setting up and maintaining a database with all these controls and more?

HailBytes hardened PostgreSQL images can spin up a hardened PostgreSQL database in minutes on AWS or GCP. That includes all these controls and 56 more security measures to keep your data safe. Email us at contact@hailbytes.com or try it today — it’s free for the first 5 days.

Leave a Reply

Your email address will not be published. Required fields are marked *

Instagram

Why do People Say: "Developers are Lazy"?
The saying “work smart, not hard” is applicable for programmers.
.
https://hackernoon.com/why-do-people-say-developers-are-lazy

.
Author: Aga Wozniak
.
.
.
.
.
#blog #100Daysofcode #javascript #vuejs #datascientist #peoplewhocode #learntocode #coding #developerlife #frontenddeveloper #backenddeveloper #fullstackdeveloper #developer #webdeveloper #thedevlife #phpdeveloper #computerscience #programmer #programmingisfun #codingdays
...

Mitigating the DDOS Threats Facing Banks and Fintechs
As much as digitization and cyber simplified banking, the Fintech sector has left digital payment activity exposed to malicious and suspicious activity.
.
https://hackernoon.com/mitigating-the-ddos-threats-facing-banks-and-fintechs

.
Author: Josh Horowitz
.
.
.
.
.
#blog #100Daysofcode #javascript #vuejs #datascientist #peoplewhocode #learntocode #coding #developerlife #frontenddeveloper #backenddeveloper #fullstackdeveloper #developer #webdeveloper #thedevlife #phpdeveloper #computerscience #programmer #programmingisfun #codingdays
...

24 Best JavaScript Blogs and Websites
In this overview, we have compiled a list of popular sites, as well as JS blogs that are worth reading and keeping in your bookmarks.
.
https://hackernoon.com/24-best-javascript-blogs-and-websites

.
Author: natashatsybliyenko
.
.
.
.
.
#blog #100Daysofcode #javascript #vuejs #datascientist #peoplewhocode #learntocode #coding #developerlife #frontenddeveloper #backenddeveloper #fullstackdeveloper #developer #webdeveloper #thedevlife #phpdeveloper #computerscience #programmer #programmingisfun #codingdays
...

The Projects Working to Lower Ethereum Gas Fees
As more investors try their hand at DeFi, gas fees are shooting over the roof, making engaging with decentralized apps uneconomical for most users.
.
https://hackernoon.com/ethereum-gas-fees-are-there-any-projects-working-to-optimize-eth-gas-fees

.
Author: CryptoVirally SLR
.
.
.
.
.
#blog #100Daysofcode #javascript #vuejs #datascientist #peoplewhocode #learntocode #coding #developerlife #frontenddeveloper #backenddeveloper #fullstackdeveloper #developer #webdeveloper #thedevlife #phpdeveloper #computerscience #programmer #programmingisfun #codingdays
...

On the Edge of a New Year: IT Predictions for 2022
The single biggest cause of network errors are people.
.
https://hackernoon.com/an-interview-with-uplogix-ceo-lisa-frankovitch

.
Author: Mignonette Garnier
.
.
.
.
.
#blog #100Daysofcode #javascript #vuejs #datascientist #peoplewhocode #learntocode #coding #developerlife #frontenddeveloper #backenddeveloper #fullstackdeveloper #developer #webdeveloper #thedevlife #phpdeveloper #computerscience #programmer #programmingisfun #codingdays
...

How to Modernize IBM i Applications
If you’re like most IBM i users, you know how much value your IBM i data and applications bring to your business. Your end-users, however, may not. In today’s world of rich user experience, fast-paced application development, and constantly evolving customer expectations, IBM i applications are unde…
.
https://hackernoon.com/how-to-modernize-ibm-i-applications

.
Author: Lansa
.
.
.
.
.
#blog #100Daysofcode #javascript #vuejs #datascientist #peoplewhocode #learntocode #coding #developerlife #frontenddeveloper #backenddeveloper #fullstackdeveloper #developer #webdeveloper #thedevlife #phpdeveloper #computerscience #programmer #programmingisfun #codingdays
...