securing postgresql on fbsd

David Bear David.Bear at asu.edu
Thu Aug 19 15:53:14 PDT 2004 

On Thu, Aug 19, 2004 at 01:10:41PM -0600, Sheets, Jason (Manpower Contract) wrote:
> It looks like you configured the tunnel to point to the public host
> (dbsrv1) and configured PostgreSQL to only listen on the loopback
> 127.0.0.1.
> 
> Try tunneling to 127.0.0.1:5432 instead of dbsrv1
> 
> Something like
> 
> ssh -L 5001:127.0.0.1:5432 iddwb at dbsrv1

many thanks... this worked that way I wanted.

> 
> Jason
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of David Bear
> Sent: Thursday, August 19, 2004 12:38 PM
> To: freebsd-questions at freebsd.org
> Subject: securing postgresql on fbsd
> 
> 
> This is not strictly a freebsd question, but this group is the
> smartest around... so
> 
> I've installed postgresql on freebsd  4.10-rel.  I want to secure ALL
> connections to postgres through ssh. So I first configured postgresql
> to connect ONLY to 127.0.0.1 port 5432.  Then, when attempting to ssh
> to tunnel to it from another machine I got an error:
> ---------------
> Aug 19 10:31:12 dbsrv1 sshd[157]: Accepted publickey for iddwb from
> +129.219.69.200 port 33068 ssh2
> Aug 19 10:31:40 dbsrv1 sshd[159]: error: connect_to 129.219.69.206
> port 5432:
> +Connection refused
> Aug 19 10:31:40 dbsrv1 sshd[159]: error: connect_to dbsrv1.pp.asu.edu
> port 5432:
> +failed.
> ----------------
> So it looks like I wasn't building the tunnel correctly. From the
> remote host connecting to the freebsd postgresql server I was using:
> 
> ssh -L 5001:dbsrv1:5432 iddwb at dbsrv1
> 
> But it looks like that is forbidden to connect to 'localhost' on the
> remote machine, ie on dbsrv1.
> 
> I was able to get postgresql to bind to all adapters, and connect to
> it using the above tunnel.  But then I have an open port on dbsrv1
> that anyone can connect to... ie I can straight telnet dbsrv1 5432 and
> reach it unencrypted. It binds to a public interface, and I don't want
> that.
> 
> I know postgresql has an ssl option, but I was hoping to just use ssh
> tunneling.
> 
> hoping this make sense, I'm wondering what other freebsd users have
> done to secure postgresql? or how to make ssh tunnel 'all the way
> through to the remote "localhost"'..
> 
> -- 
> David Bear
> phone: 	480-965-8257
> fax: 	480-965-9189
> College of Public Programs/ASU
> Wilson Hall 232
> Tempe, AZ 85287-0803
>  "Beware the IP portfolio, everyone will be suspect of trespassing"
> 
> 
> ----- End forwarded message -----
> 
> -- 
> David Bear
> phone: 	480-965-8257
> fax: 	480-965-9189
> College of Public Programs/ASU
> Wilson Hall 232
> Tempe, AZ 85287-0803
>  "Beware the IP portfolio, everyone will be suspect of trespassing"
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"

-- 
David Bear
phone: 	480-965-8257
fax: 	480-965-9189
College of Public Programs/ASU
Wilson Hall 232
Tempe, AZ 85287-0803
 "Beware the IP portfolio, everyone will be suspect of trespassing"

More information about the freebsd-questions mailing list