Date: Thu, 19 Aug 2004 11:37:39 -0700 From: David Bear <David.Bear@asu.edu> To: freebsd-questions@freebsd.org Subject: securing postgresql on fbsd Message-ID: <20040819183739.GD23172@asu.edu>
next in thread | raw e-mail | index | archive | help
This is not strictly a freebsd question, but this group is the smartest around... so I've installed postgresql on freebsd 4.10-rel. I want to secure ALL connections to postgres through ssh. So I first configured postgresql to connect ONLY to 127.0.0.1 port 5432. Then, when attempting to ssh to tunnel to it from another machine I got an error: --------------- Aug 19 10:31:12 dbsrv1 sshd[157]: Accepted publickey for iddwb from +129.219.69.200 port 33068 ssh2 Aug 19 10:31:40 dbsrv1 sshd[159]: error: connect_to 129.219.69.206 port 5432: +Connection refused Aug 19 10:31:40 dbsrv1 sshd[159]: error: connect_to dbsrv1.pp.asu.edu port 5432: +failed. ---------------- So it looks like I wasn't building the tunnel correctly. From the remote host connecting to the freebsd postgresql server I was using: ssh -L 5001:dbsrv1:5432 iddwb@dbsrv1 But it looks like that is forbidden to connect to 'localhost' on the remote machine, ie on dbsrv1. I was able to get postgresql to bind to all adapters, and connect to it using the above tunnel. But then I have an open port on dbsrv1 that anyone can connect to... ie I can straight telnet dbsrv1 5432 and reach it unencrypted. It binds to a public interface, and I don't want that. I know postgresql has an ssl option, but I was hoping to just use ssh tunneling. hoping this make sense, I'm wondering what other freebsd users have done to secure postgresql? or how to make ssh tunnel 'all the way through to the remote "localhost"'.. -- David Bear phone: 480-965-8257 fax: 480-965-9189 College of Public Programs/ASU Wilson Hall 232 Tempe, AZ 85287-0803 "Beware the IP portfolio, everyone will be suspect of trespassing" ----- End forwarded message ----- -- David Bear phone: 480-965-8257 fax: 480-965-9189 College of Public Programs/ASU Wilson Hall 232 Tempe, AZ 85287-0803 "Beware the IP portfolio, everyone will be suspect of trespassing"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040819183739.GD23172>