From owner-freebsd-questions@FreeBSD.ORG Thu Aug 19 22:53:14 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCDB116A4CE for ; Thu, 19 Aug 2004 22:53:13 +0000 (GMT) Received: from post5.inre.asu.edu (post5.inre.asu.edu [129.219.110.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA11F43D2F for ; Thu, 19 Aug 2004 22:53:13 +0000 (GMT) (envelope-from David.Bear@asu.edu) Received: from conversion.post5.inre.asu.edu by asu.edu (PMDF V6.1-1X6 #30769) id <0I2P00J01U7F6I@asu.edu> for freebsd-questions@freebsd.org; Thu, 19 Aug 2004 15:52:27 -0700 (MST) Received: from smtp.asu.edu (smtp.asu.edu [129.219.110.107]) <0I2P00GOVU7FRV@asu.edu>; Thu, 19 Aug 2004 15:52:27 -0700 (MST) Received: from moroni.pp.asu.edu (moroni.pp.asu.edu [129.219.69.200]) (8.12.10/8.12.10/asu_smtp_relay,nullclient,tcp_wrapped) with ESMTP id i7JMqP71028947; Thu, 19 Aug 2004 15:52:25 -0700 (MST) Received: by moroni.pp.asu.edu (Postfix, from userid 500) id 77434D3F; Thu, 19 Aug 2004 15:52:26 -0700 (MST) Date: Thu, 19 Aug 2004 15:52:26 -0700 From: David Bear In-reply-to: <2D8BB15C7B5C214F81C32D3A83B32736E6B95B@idbexc01.americas.cpqcorp.net> To: "Sheets, Jason (Manpower Contract)" Message-id: <20040819225226.GE23172@asu.edu> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline User-Agent: Mutt/1.4.1i References: <2D8BB15C7B5C214F81C32D3A83B32736E6B95B@idbexc01.americas.cpqcorp.net> cc: David.Bear@asu.edu cc: freebsd-questions@freebsd.org Subject: Re: securing postgresql on fbsd X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: David.Bear@asu.edu List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Aug 2004 22:53:14 -0000 On Thu, Aug 19, 2004 at 01:10:41PM -0600, Sheets, Jason (Manpower Contract) wrote: > It looks like you configured the tunnel to point to the public host > (dbsrv1) and configured PostgreSQL to only listen on the loopback > 127.0.0.1. > > Try tunneling to 127.0.0.1:5432 instead of dbsrv1 > > Something like > > ssh -L 5001:127.0.0.1:5432 iddwb@dbsrv1 many thanks... this worked that way I wanted. > > Jason > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of David Bear > Sent: Thursday, August 19, 2004 12:38 PM > To: freebsd-questions@freebsd.org > Subject: securing postgresql on fbsd > > > This is not strictly a freebsd question, but this group is the > smartest around... so > > I've installed postgresql on freebsd 4.10-rel. I want to secure ALL > connections to postgres through ssh. So I first configured postgresql > to connect ONLY to 127.0.0.1 port 5432. Then, when attempting to ssh > to tunnel to it from another machine I got an error: > --------------- > Aug 19 10:31:12 dbsrv1 sshd[157]: Accepted publickey for iddwb from > +129.219.69.200 port 33068 ssh2 > Aug 19 10:31:40 dbsrv1 sshd[159]: error: connect_to 129.219.69.206 > port 5432: > +Connection refused > Aug 19 10:31:40 dbsrv1 sshd[159]: error: connect_to dbsrv1.pp.asu.edu > port 5432: > +failed. > ---------------- > So it looks like I wasn't building the tunnel correctly. From the > remote host connecting to the freebsd postgresql server I was using: > > ssh -L 5001:dbsrv1:5432 iddwb@dbsrv1 > > But it looks like that is forbidden to connect to 'localhost' on the > remote machine, ie on dbsrv1. > > I was able to get postgresql to bind to all adapters, and connect to > it using the above tunnel. But then I have an open port on dbsrv1 > that anyone can connect to... ie I can straight telnet dbsrv1 5432 and > reach it unencrypted. It binds to a public interface, and I don't want > that. > > I know postgresql has an ssl option, but I was hoping to just use ssh > tunneling. > > hoping this make sense, I'm wondering what other freebsd users have > done to secure postgresql? or how to make ssh tunnel 'all the way > through to the remote "localhost"'.. > > -- > David Bear > phone: 480-965-8257 > fax: 480-965-9189 > College of Public Programs/ASU > Wilson Hall 232 > Tempe, AZ 85287-0803 > "Beware the IP portfolio, everyone will be suspect of trespassing" > > > ----- End forwarded message ----- > > -- > David Bear > phone: 480-965-8257 > fax: 480-965-9189 > College of Public Programs/ASU > Wilson Hall 232 > Tempe, AZ 85287-0803 > "Beware the IP portfolio, everyone will be suspect of trespassing" > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" -- David Bear phone: 480-965-8257 fax: 480-965-9189 College of Public Programs/ASU Wilson Hall 232 Tempe, AZ 85287-0803 "Beware the IP portfolio, everyone will be suspect of trespassing"