The purpose of this post is to learn how to secure Postgres against unauthorized access following steps:
1. Check OS firewall
(on debian-based Linux distros) Check ufw is installed, enabled and denies 5432 input connections:
$ sudo ufw enable $ sudo ufw status > Status: active $ sudo ufw deny 5432/tcp $ sudo ufw status > 5432/tcp DENY Anywhere > 5432/tcp (v6) DENY Anywhere (v6)
As an alternative of ufw, selinux or other OS firewalls you can also use iptables rules directly to achieve the same result:
# Listing current iptables rules $ iptables -S # Block input connections to 5432 $ iptables -A INPUT -p tcp --destination-port 5432 -j DROP # Searching previous rule is updated $ iptables -S | grep 5432 > -A INPUT -p tcp -m tcp --dport 5432 -j DROP
2. Check port is not published to the host machine
Display Postgres running container:
$ docker ps | grep [POSTGRES_CONTAINER_NAME]
Check Postgres port is not published to the host (0.0.0.0) like 0.0.0.0:5432->5432/tcp. Otherwise rerun container without publishing ports at all.
3. Check pg_hba.conf configuration
Postgres accessed internally
If Postgres has to be accessed by other containers on the same network (or on the same cluster) you should create an internal Postgres user with password and just add the following command at the end of the pg_hba.conf file.
host [INTERNAL_USER] all samenet md5
Postgres accessed externally
If Postgres has to be accesed externally, restrict which external IP address has the right to access it and create an external user with password. Finally, at the following line at the end of the pg_hba.conf file:
host [EXTERNAL_USER] all [EXTERNAL_IP] md5
In previous cases, make sure that doesn’t exist a line like
host all all all trustor
host all all 0.0.0.0/0 trustopening Postgres for everybody.