Many think of PostgreSQL as the most sophisticated open source database in the world. As of July 13th, 2022, there are reported to the CVE database. 135 security flaws This means that, without proper configuration and maintenance, PostgreSQL can be exploitable. The popular object-relational database has better out-of-the-box security configurations than other databases. However, proper precautions are still needed to safeguard web applications and underlying data. Here are 8 essential measures you can take to protect your PostgreSQL server. 1. Check for Important Security Updates and Patches often This is a obligation if you run a PostgreSQL based web app with credit card information. PCI-DSS It is also a good rule of thumb for all software systems. You can handle this by checking PostgreSQL's or referencing the . information security page CIS Benchmark v1.0.0 for Postgres 14 here They'll post major security updates and patches there. You can also use a tool to check for available updates. If you are on Ubuntu, "unattended-packages" can manage security updates for you. In Windows you can use WSUS or InTune to manage and deploy update rings on your behalf. 2. Block Connections From Networks Where Database Access Is Not Required. PostgreSQL will refuse connection requests from other servers if set to localhost. listen_addresses This will shield the database and underpinning data structures from unauthorized access. 3. Control PostgreSQL Database Port-Level Access. The database and management ports should be the only ports with access to the server. Lock down any extra ports that permit network access to the database. 4. Think about disabling PostgreSQL remote access. By itself, this eliminates a large number of important attack vectors. Once more, you can change this in Do you or your engineers still need remote access to the database? SSH to the server instead and then use a local connection. A different option is to configure SSH tunnel access to PostgreSQL. That allows client machines to access remote databases as if they were local. pg_hba.conf. 5.When encrypting values that don't need decryption, use hash-based column encryption. Hash-based encryption techniques like are one-way and you can't decrypt them. Encryption methods like are two-way and you can decrypt them. Only use one-way encryption for values that have you have to compare for a match, like passwords. This adds an extra layer of security if hackers compromise your table information. MD5 AES Give Each Application a Specific Role. Create a new user and assign the proper permissions. In doing so, you increase the level of security to keep users and data apart. You should do this for each new application using the PostgreSQL database. Configure proper database query monitoring and logging. By enabling query tracking for your database, you improve your audit trail. This makes it easier to locate offenders in the event of an error or compromise. Install the extension first. Make sure that you turn on monitoring for any and all query types (SELECT, INSERT, UPDATE, DELETE). pg_stat_statements Test "base backups" configuration and recoverability. Create standby hosts with Point In Time Recovery (PITR) mechanisms to use "base backups". These are copies of the primary host's data cluster. You should always transfer "base backups" over networks using an encoded transport method. You can use the PostgreSQL CLI function . On the server, you must enable TLS encryption. You can also make a "base backup" by using the tool. pg_basebackup pgBackRest Do you need help setting up and maintaining a database with all these controls and more? hardened PostgreSQL images can spin up a hardened PostgreSQL database in minutes on AWS or GCP. That includes all these controls and 56 more security measures to keep your data safe. Email us at or try it today — it's free for the first 5 days. HailBytes contact@hailbytes.com

Check out our cloud infrastructure on HailBytes

Check out our profile on Amazon Web Services

Too Long; Didn't Read

Questions about cloud security? Get answers here.

8 Crucial Tips for Hardening PostgreSQL 14.4 servers in 2022

Too Long; Didn't Read

Company Mentioned

HailBytes

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

8 Crucial Tips for Hardening PostgreSQL 14.4 servers in 2022

Too Long; Didn't Read

Company Mentioned

HailBytes

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES