blog
How to Close the Vulnerability Gap in PostgreSQL
No matter what kind of technology or security system you have in place, there is always a risk of being hacked as there is no 100% secured system. As data is probably the most important asset in a company, you must secure your system as much as possible to minimize this risk.
This blog will mention some important checks to perform in your PostgreSQL environment to close the vulnerability gap and avoid some of the most common security issues.
Securing Communications
If you are using different Cloud Providers, a combination of Cloud Provider and On-Prem, or even just an On-Prem environment, the communication in all your systems must be encrypted, and you must restrict the traffic only from known sources to reduce the risk of unauthorized access to your network.
The usage of VPN, SSH, or Firewall Rules, or even a combination of them, are good solutions for this point.
Controlling Database Access
You need to restrict both physical and remote access.
-
Physical access (on-prem): Restrict unauthorized physical access to the database server.
-
Remote access: Limit the remote access to only the necessary people, and from the least amount of source possibles. Using a VPN to access it is definitely useful here, but there are also other options like SSH Tunneling. You should find the best solution for your company.
Managing Database User Accounts
There are many ways to improve security for your user accounts in PostgreSQL.
-
Remove inactive users. For this, you should define a period of time to consider a user as inactive, and you can schedule it to remove them automatically.
-
Grant only the necessary privileges when you create a new user account.
-
Restrict the source for each user connection using the pg_hba.conf configuration file.
-
Define a secure password policy (or enable a plugin for this, e.g. passwordcheck).
Secure Installations and Configurations
There are some changes to do to secure your PostgreSQL installation.
-
Install only the necessary packages and services on the server.
-
Change the default admin user password and restrict the usage from only the localhost.
-
Change the default port and specify the interface to listen in.
-
Enable password security policy plugin.
-
Configure SSL certificates to encrypt data-in-transit.
-
Encrypt data-at-rest.
-
Configure the local firewall to allow access to the database port only from the local network.
In case you are using a managed PostgreSQL database, some of the points mentioned above won’t be necessary.
Auditing and Logging
Logging statements can help you to detect security issues or avoid them if you catch them up in time.
You can use the standard logging PostgreSQL facility using the log_statement parameter, but you can also use an extension like pgAudit to have a more detailed session and object audit logging.
Implement a WAF (Web Application Firewall)
SQL Injections or DoS attacks (Denial of Service) are the most common attacks to a database, and the most secure way to avoid them is by using a WAF to catch this kind of SQL queries or a SQL Proxy to analyze the traffic.
Check CVE (Common Vulnerabilities and Exposures) Frequently
Every day, new vulnerabilities are detected for your database server. You should check it frequently to know if you need to apply a patch or change something in your configuration. One way to know it is by reviewing the CVE website, where you can find a list of vulnerabilities with a description, and you can look for your database version and vendor, to confirm if there is something critical to fix ASAP.
To be more specific, you can check the PostgreSQL section to try to find issues for your database version.
Keep Your OS and Database Up-to-Date
There are several fixes and improvements that the database vendor or the operating system release in order to fix or avoid vulnerabilities. It is important to keep your system as up-to-date as possible by applying patches and security upgrades.
Monitoring
To know the status of your systems, you will need to have a good monitoring system in place. This could be useful to find security issues or even to avoid them.
For this, ClusterControl is a good option as it is a management and monitoring system that helps you to deploy, manage, monitor, and scale your databases from a friendly interface. It has support for the top open-source database technologies and you can automate many of the database tasks you have to perform regularly like adding and scaling new nodes, running backups and restores, and more.
ClusterControl allows you to monitor your servers in real-time with a predefined set of dashboards to analyze some of the most common metrics.
It allows you to customize the graphs available in the cluster, and you can enable the agent-based monitoring to generate more detailed dashboards.
You can also create alerts, which inform you of events in your cluster, or integrate with different services such as PagerDuty or Slack.
In the query monitor section, you can find the top queries, the running queries, query outliers, and the query statistics to monitor your database traffic.
With these features, you can see how your PostgreSQL database is going.
Conclusion
The points mentioned above will help you to close the vulnerability gap in your PostgreSQL database, but as we mentioned, there is always a risk of being hacked.
Also, you should have a good monitoring system like ClusterControl, and run periodically some security scan tools looking for vulnerabilities like Nessus to minimize the security risks even more.