securing postgresql on fbsd
From: David Bear (David.Bear_at_asu.edu)
Date: 08/19/04
- Previous message: Metrion: "Advice on webmail server"
- Next in thread: Sheets, Jason (Manpower Contract): "RE: securing postgresql on fbsd"
- Maybe reply: Sheets, Jason (Manpower Contract): "RE: securing postgresql on fbsd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 19 Aug 2004 11:37:39 -0700 To: freebsd-questions@freebsd.org
This is not strictly a freebsd question, but this group is the
smartest around... so
I've installed postgresql on freebsd 4.10-rel. I want to secure ALL
connections to postgres through ssh. So I first configured postgresql
to connect ONLY to 127.0.0.1 port 5432. Then, when attempting to ssh
to tunnel to it from another machine I got an error:
---------------
Aug 19 10:31:12 dbsrv1 sshd[157]: Accepted publickey for iddwb from
+129.219.69.200 port 33068 ssh2
Aug 19 10:31:40 dbsrv1 sshd[159]: error: connect_to 129.219.69.206
port 5432:
+Connection refused
Aug 19 10:31:40 dbsrv1 sshd[159]: error: connect_to dbsrv1.pp.asu.edu
port 5432:
+failed.
----------------
So it looks like I wasn't building the tunnel correctly. From the
remote host connecting to the freebsd postgresql server I was using:
ssh -L 5001:dbsrv1:5432 iddwb@dbsrv1
But it looks like that is forbidden to connect to 'localhost' on the
remote machine, ie on dbsrv1.
I was able to get postgresql to bind to all adapters, and connect to
it using the above tunnel. But then I have an open port on dbsrv1
that anyone can connect to... ie I can straight telnet dbsrv1 5432 and
reach it unencrypted. It binds to a public interface, and I don't want
that.
I know postgresql has an ssl option, but I was hoping to just use ssh
tunneling.
hoping this make sense, I'm wondering what other freebsd users have
done to secure postgresql? or how to make ssh tunnel 'all the way
through to the remote "localhost"'..
-- David Bear phone: 480-965-8257 fax: 480-965-9189 College of Public Programs/ASU Wilson Hall 232 Tempe, AZ 85287-0803 "Beware the IP portfolio, everyone will be suspect of trespassing" ----- End forwarded message ----- -- David Bear phone: 480-965-8257 fax: 480-965-9189 College of Public Programs/ASU Wilson Hall 232 Tempe, AZ 85287-0803 "Beware the IP portfolio, everyone will be suspect of trespassing" _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: Metrion: "Advice on webmail server"
- Next in thread: Sheets, Jason (Manpower Contract): "RE: securing postgresql on fbsd"
- Maybe reply: Sheets, Jason (Manpower Contract): "RE: securing postgresql on fbsd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
