\
 ![Slonik, the PostgreSQL mascot posing in the PostgreSQL logo, 2022](https://cdn.hackernoon.com/images/-n4a3q13.png)

## Many think of PostgreSQL as the most sophisticated open source database in the world.

As of July 13th, 2022, there are [135 security flaws](https://www.cvedetails.com/vulnerability-list/vendor_id-336/product_id-575/Postgresql-Postgresql.html) reported to the CVE database.

 ![Recent vulnerability findings for PostgreSQL from cvedetails.com](https://cdn.hackernoon.com/images/-0c93qrh.png)

This means that, without proper configuration and maintenance, PostgreSQL can be exploitable.

\
The popular object-relational database has better out-of-the-box security configurations than other databases. However, proper precautions are still needed to safeguard web applications and underlying data.

## Here are 8 essential measures you can take to protect your PostgreSQL server.

## 1. Check for Important Security Updates and Patches often

This is a [PCI-DSS](https://www.pcisecuritystandards.org/) obligation if you run a PostgreSQL based web app with credit card information.

It is also a good rule of thumb for all software systems. You can handle this by checking PostgreSQL's [information security page](https://www.postgresql.org/support/security/) or referencing the [CIS Benchmark v1.0.0 for Postgres 14 here](https://learn.cisecurity.org/l/799323/2021-10-27/d56fd).

They'll post major security updates and patches there. You can also use a tool to check for available updates.

If you are on Ubuntu, "unattended-packages" can manage security updates for you.

 ![WSUS running on Windows Server 2016](https://cdn.hackernoon.com/images/-vvb3qqf.png)

In Windows you can use WSUS or InTune to manage and deploy update rings on your behalf.

## 2. Block Connections From Networks Where Database Access Is Not Required.

PostgreSQL will refuse connection requests from other servers if **[listen_addresses](https://www.postgresql.org/docs/current/runtime-config-connection.html)** set to localhost.

This will shield the database and underpinning data structures from unauthorized access.

## 3. Control PostgreSQL Database Port-Level Access.

The database and management ports should be the only ports with access to the server. Lock down any extra ports that permit network access to the database.

## 4. Think about disabling PostgreSQL remote access.

By itself, this eliminates a large number of important attack vectors. Once more, you can change this in **pg_hba.conf.** Do you or your engineers still need remote access to the database? SSH to the server instead and then use a local connection. A different option is to configure SSH tunnel access to PostgreSQL. That allows client machines to access remote databases as if they were local.

\
 ![Encryption in action](https://cdn.hackernoon.com/images/WgVLUehxmxgNrCz3vWPCb1fnrPF3-nsc3qmc.jpeg)

## 5.When encrypting values that don't need decryption, use hash-based column encryption.

Hash-based encryption techniques like [MD5](https://datatracker.ietf.org/doc/html/rfc1321) are one-way and you can't decrypt them. Encryption methods like [AES](https://datatracker.ietf.org/doc/html/rfc3826) are two-way and you can decrypt them. Only use one-way encryption for values that have you have to compare for a match, like passwords. This adds an extra layer of security if hackers compromise your table information.

## Give Each Application a Specific Role.

Create a new user and assign the proper permissions. In doing so, you increase the level of security to keep users and data apart. You should do this for each new application using the PostgreSQL database.

\
 ![PGWatch visualization of PostgreSQL metrics in Grafana](https://cdn.hackernoon.com/images/-ijd3qjp.png)

## Configure proper database query monitoring and logging.

By enabling query tracking for your database, you improve your audit trail. This makes it easier to locate offenders in the event of an error or compromise. Install the **[pg_stat_statements](https://www.postgresql.org/docs/current/pgstatstatements.html)** extension first. Make sure that you turn on monitoring for any and all query types (SELECT, INSERT, UPDATE, DELETE).

## Test "base backups" configuration and recoverability.

Create standby hosts with Point In Time Recovery (PITR) mechanisms to use "base backups". These are copies of the primary host's data cluster. You should always transfer "base backups" over networks using an encoded transport method. You can use the PostgreSQL CLI function **[pg_basebackup](https://www.postgresql.org/docs/current/app-pgbasebackup.html)**. On the server, you must enable TLS encryption. You can also make a "base backup" by using the **[pgBackRest](https://pgbackrest.org/)** tool.

## Do you need help setting up and maintaining a database with all these controls and more?

 **[HailBytes](https://www.hailbytes.com)** hardened PostgreSQL images can spin up a hardened PostgreSQL database in minutes on AWS or GCP. That includes all these controls and 56 more security measures to keep your data safe. Email us at [contact@hailbytes.com](mailto:contact@hailbytes.com) or try it today — it's free for the first 5 days.

Check out our cloud infrastructure on HailBytes

Check out our profile on Amazon Web Services

Too Long; Didn't Read

Build an AI-based text classifier with Tensorflow & NoSQL

8 Crucial Tips for Hardening PostgreSQL 14.4 servers in 2022

Too Long; Didn't Read

Company Mentioned

@hailbytes

RELATED STORIES