650 CHAPTER 29 SECURING POSTGRESQL (Geocities web hosting) Patch
650 CHAPTER 29 SECURING POSTGRESQL Patch the operating system and any installed software: Software security alerts seem to be issued on a weekly basis these days, and although they are annoying, it is absolutely necessary that you take the steps to make sure that your system is fully patched. With exploit instructions and tools readily available on the Internet, a malicious user with even a little experience in such matters will have little trouble taking advantage of an unpatched server. Don t take solace in the fact that you are running a Unix-based environment; every operating system has had at least one security patch released, and pretending otherwise could leave you vulnerable. The bottom line is that you should develop an official patching strategy and stick with it, regardless of your chosen operating system. Disable all unused system services: Always take care to eliminate all unnecessary potential server attack routes before you place the PostgreSQL server on the network. These attack vectors are almost exclusively the result of insecure system services, often ones running on the system unbeknownst to the system administrator. The rule of thumb these days is that if you re not going to use the service, turn it off. Tighten the database server firewall: Although shutting off unused system services is a great way to lessen the probability of a successful attack, it doesn t hurt to add a second layer of security by closing all unused ports. For a dedicated database server, it is common to close all ports except for 22 (SSH), 5432 (PostgreSQL), and perhaps some utility ports like 123 (NTP). In short, if you don t intend for traffic to travel on a given port, close it off altogether. In addition to making such adjustments on a dedicated firewall appliance or router, also consider taking advantage of the operating system s firewall. Both Microsoft Windows Server 2000/2003 and Unix-based systems have built-in firewalls at your disposal. Audit the database server s user accounts: Particularly if a pre-existing server has been reassigned to host the organization s database, make sure that all nonprivileged users are disabled or, better, deleted. Although PostgreSQL s users and the operating system users are completely unrelated, the mere fact that they have access to the server environment raises the possibility that damage could be done, inadvertently or otherwise, to the database server and its contents. The simplest way to ensure that nothing is overlooked during such an audit is to reformat all of the attached drives and reinstall the operating system. Set the PostgreSQL superuser password: By default, many installation packages leave the database superuser account (postgres) blank. Although many would question this practice, this has long been the standard procedure, and will likely be for some time. Given that fact, you must take care to add a password immediately. You can do so with the ALTERUSER command, like so: $] psql -U postgres template1 Welcome to psql 8.0.3, the PostgreSQL interactive terminal. Type: copyright for distribution terms h for help with SQL commands ? for help on internal slash commands g or terminate with semicolon to execute query q to quit
We would like to recommend you tested and proved virtual web hosting services, which you will surely find to be of great quality.