Blog
How to Secure Your PostgreSQL Database - 10 Tips

How to Secure Your PostgreSQL Database - 10 Tips

Abstract shapeAbstract shape
Join 27,000+ cybersecurity newsletter subscribers

PostgreSQL may be the world’s most advanced open source database, but its 82 documented security vulnerabilities per the CVE database also make it highly exploitable. Granted, the popular object-relational database is considered superior to others when it comes to out-of-the-box security, but proper measures are still required to protect web applications and underlying data. The following are 10 common ways to secure your PostgreSQL implementation from cyber attackers.

1. Do not use Trust security.

When using Trust security, PostgreSQL assumes that anyone connected to the server is authorized to access the database with the database username specified (i.e., the DB trusts that they are who they say they are). To lock this down, edit your pg_hba.conf to use a non-trust authentication method like MD5. Additionally, remote login access on template1 and PostgreSQL default databases should be revoked.

2. Use hash-based column encryption for values that don't need to be decrypted.

Encryption methods such as AES are two-way—they can be decrypted—while hash-based encryption methods such as MD5 are one-way. For values that only need to be check for a match such as passwords, use one-way encryption for an added layer of security in the event that table data is compromised.

3. Use physical separation to isolate datasets that need to be kept apart.

By using pg_hba and RBAC to control access to physically disparate databases, you ensure that data in two tables cannot be accessed/viewed simultaneously. Of course, this will break SQL joins, so only use in appropriate scenarios that require physical access separation during the life of a login session.

4. Lock down port-level access to the PostgreSQL database.

A limited set of ports should have network access to the database: the database port itself and any necessary management ports. All other ports that allow network access to the database should be locked down.

5. Use pg_hba.conf to specify which hosts can use SSL-encrypted and unencrypted connections.

This can be accomplished by adding and removing the appropriate entries in the pg_hba.conf file. Generally-speaking, all clients should be forced to connect with SSL by adding the necessary hostssl entries. If using this model, all host entries should be removed (aside from localhost).

6. Prevent connections from networks that don’t require database access. 

Setting listen_addresses to localhost will force the OS to reject connection attempts from other servers before they reach PostgreSQL. This will prevent unauthorized access to the database and underlying data structures.

7. Set appropriate monitoring and logging for database queries.

By turning on tracking for queries executed against your database, you enhance the audit trail for identifying culprits in the event of a mishap or compromise. This can be accomplished by installing the pg_stat_statements extension, which effectively turns on monitoring for all query types (SELECT, INSERT, UPDATE, DELETE).

8. Consider disabling remote access to PostgreSQL.

This action alone eliminates a host of substantial attack vectors. Again, this can be set in the pg_hba.conf. If remote access to the database is required, SSH to server housing the database and use a local connection thereafter. Alternatively, you can set up tunnel access to PostgreSQL through SSH, effectively giving client machines access to remote databases as if they were local.

9. Assign a distinct role for each application.

By doing this, you add an extra layer of security for separating users from data. Generate a new user and assign appropriate permissions for each new application utilizing the PostgreSQL database. 

10. Stay on top of critical security updates and patches.

This is not only a rule of thumb for all software systems in general, but a PCI-DSS requirement if your PostgreSQL-based web application or ecommerce store is storing sensitive credit card information. Checking PostgreSQL's security information page regularly and frequently for critical security updates and patches can effectively satisfy this requirement.

Need to implement these security checks and more with a couple mouse clicks? UpGuard's platform for continuous security monitoring can automatically scan your PostgreSQL database for vulnerabilities with its policy-based integrity validation engine. Try it today—it's free for up to 10 nodes.

Sources

https://www.cvedetails.com/vulnerability-list/vendor_id-336/product_id-575/Postgresql-Postgresql.html

https://www.postgresql.org/docs/8.3/auth-pg-hba-conf.html

https://momjian.us/main/writings/pgsql/securing.pdf

https://web.archive.org/web/20160310040616/http://www.upfrontsystems.co.za/Members/izak/sysadman/postgresqls-confusing-authentication-configuration

https://www.postgresql.org/docs/9.1/auth-methods.html

https://web.archive.org/web/20151129095859/http://www.openscg.com/wp-content/uploads/2013/04/SecurityHardeningPostgreSQL.pdf

Free eBook

The Guide to Managing Configuration Drift

Learn about how to manage configuration drift with this in-depth eBook.
UpGuard logo in white
The Guide to Managing Configuration Drift
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Abstract shapeAbstract shape

Related posts

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Abstract shapeAbstract shape
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    13 risk factors, including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan ratingAbstract shape