PostgresSQL

How to Secure Your PostgreSQL Database – 5 Tips

Photo by Caspar Camille Rubin on Unsplash

PostgreSQL may be the world’s most advanced open source database, but its 82 documented security vulnerabilities per the CVE database also make it highly exploitable. The popular object-relational database is considered superior to others regarding out-of-the-box security. However, proper measures are still required to protect web applications and underlying data. The following are 5 common ways to secure your PostgreSQL implementation from cyber attacks.

1. Do Not Use Trust Security.

When using Trust security, PostgreSQL assumes that anyone connected to the server is authorized to access the database with the database username specified (i.e., the DB trusts that they are who they say they are). To lock this down, edit your pg_hba.conf to use a non-trust authentication method like MD5. Additionally, template1 and PostgreSQL default databases should be revoked remote login access.

2. Use Hash-Based Column encryption for values that don’t need to be decrypted

Encryption methods such as AES are two-way—they can be decrypted—while hash-based encryption methods such as MD5 are one-way. For values that only need to be checked for a match, such as passwords, use one-way encryption for an added layer of security if table data is compromised.

3. Use Physical Separation to Isolate Datasets that Need to be Kept Apart

Using pg_hba and RBAC to control access to physically disparate databases ensures that data in two tables cannot be accessed/viewed simultaneously. Of course, this will break SQL joins, so only use in appropriate scenarios that require physical access separation during the life of a login session.

4. Consider Disabling Remote Access to PostgreSQL

This action alone eliminates a host of substantial attack vectors. Again, this can be set in the pg_hba.conf. If remote access to the database is required, SSH to the server housing the database and use a local connection afterward. Alternatively, you can set up tunnel access to PostgreSQL through SSH, effectively giving client machines access to remote databases as if they were local.9. Assign a Distinct Role for Each Application.

5. Use pg_hba.conf to Specify Which Hosts Can Use SSL-Encrypted and Unencrypted Connections

This can be accomplished by adding and removing the appropriate entries in the pg_hba.conf file. Generally speaking, all clients should be forced to connect with SSL by adding the necessary hostel entries. Using this model, all host entries should be removed (aside from localhost).

July 29, 2024 by Application Security 0

How to Improve MySQL Security: Top 5 Ways
Photo by Stephen Phillips – Hostreviews.co.uk on Unsplash

MySQL RDBMS is esteemed among open-source technologies, a prevalent choice for integrating popular software packages such as WordPress and server stacks like LAMP. As the foundational data platform for numerous websites and cloud services, it is imperative to fortify MySQL security to safeguard your valuable data effectively. To that end, here are 5 essential techniques to bolster your MySQL security posture:

5 Ways to Improve MySQL Security

1. Eliminate the Test Database

The default installation of the MySQL Server package includes a test database accessible to all users. This database represents a prime target for potential attackers. As part of the post-installation hardening process, it is crucial to remove the test database completely.

2. Eradicate Anonymous Accounts

Upon installation, MySQL creates anonymous user accounts that serve no practical purpose. However, these accounts pose a potential vulnerability, offering attackers an entry point into the database. Thus, it is vital to eliminate these anonymous accounts from the system.

3. Alter Default Port Mappings

By default, MySQL operates on port 3306. To enhance security, it is advisable to modify this default port setting. Doing so helps obscure critical services on specific ports, as attackers commonly exploit default configurations. Altering the default port mappings strengthens your defense against such attempts.

4. Disable Remote Logins

If the MySQL database is solely utilized by local applications, it is prudent to disable remote access to the server. This can be achieved by editing the /etc/my.cnf file and adding a “skip-networking” entry under the [mysqld] section. By configuring MySQL to cease listening on all TCP/IP ports, including 127.0.0.1, you confine database access solely to local MySQL socket-based communications.

5. Avoid Running MySQL with Root Level Privileges

MySQL should not be operated directly under the root user account to reinforce security measures. Instead, running MySQL under a dedicated user account specifically created for this purpose is recommended. You benefit from improved auditing and logging capabilities by employing a distinct user account with the appropriate permissions to run the service. Moreover, this practice prevents attackers from gaining unauthorized access by exploiting the root user account.

Implementing these five measures will significantly enhance the security of your MySQL database, reducing the risk of potential breaches and protecting your data with heightened efficiency.

April 28, 2023 by Application Security 0

Recent Comments

No comments to show.