Many think of PostgreSQL as the most sophisticated open source database in the world.
As of July 13th, 2022, there are 135 security flaws reported to the CVE database.
This means that, without proper configuration and maintenance, PostgreSQL can be exploitable.
The popular object-relational database has better out-of-the-box security configurations than other databases. However, proper precautions are still needed to safeguard web applications and underlying data.
Here are 8 essential measures you can take to protect your PostgreSQL server.
1. Check for Important Security Updates and Patches often
This is a PCI-DSS obligation if you run a PostgreSQL based web app with credit card information.
It is also a good rule of thumb for all software systems. You can handle this by checking PostgreSQL's information security page or referencing the CIS Benchmark v1.0.0 for Postgres 14 here.
They'll post major security updates and patches there. You can also use a tool to check for available updates.
If you are on Ubuntu, "unattended-packages" can manage security updates for you.
In Windows you can use WSUS or InTune to manage and deploy update rings on your behalf.
2. Block Connections From Networks Where Database Access Is Not Required.
PostgreSQL will refuse connection requests from other servers if listen_addresses set to localhost.
This will shield the database and underpinning data structures from unauthorized access.
3. Control PostgreSQL Database Port-Level Access.
The database and management ports should be the only ports with access to the server. Lock down any extra ports that permit network access to the database.
4. Think about disabling PostgreSQL remote access.
By itself, this eliminates a large number of important attack vectors. Once more, you can change this in pg_hba.conf. Do you or your engineers still need remote access to the database? SSH to the server instead and then use a local connection. A different option is to configure SSH tunnel access to PostgreSQL. That allows client machines to access remote databases as if they were local.
5.When encrypting values that don't need decryption, use hash-based column encryption.
Hash-based encryption techniques like MD5 are one-way and you can't decrypt them. Encryption methods like AES are two-way and you can decrypt them. Only use one-way encryption for values that have you have to compare for a match, like passwords. This adds an extra layer of security if hackers compromise your table information.
Give Each Application a Specific Role.
Create a new user and assign the proper permissions. In doing so, you increase the level of security to keep users and data apart. You should do this for each new application using the PostgreSQL database.
Configure proper database query monitoring and logging.
By enabling query tracking for your database, you improve your audit trail. This makes it easier to locate offenders in the event of an error or compromise. Install the pg_stat_statements extension first. Make sure that you turn on monitoring for any and all query types (SELECT, INSERT, UPDATE, DELETE).
Test "base backups" configuration and recoverability.
Create standby hosts with Point In Time Recovery (PITR) mechanisms to use "base backups". These are copies of the primary host's data cluster. You should always transfer "base backups" over networks using an encoded transport method. You can use the PostgreSQL CLI function pg_basebackup. On the server, you must enable TLS encryption. You can also make a "base backup" by using the pgBackRest tool.
Do you need help setting up and maintaining a database with all these controls and more?
HailBytes hardened PostgreSQL images can spin up a hardened PostgreSQL database in minutes on AWS or GCP. That includes all these controls and 56 more security measures to keep your data safe. Email us at [email protected] or try it today — it's free for the first 5 days.
