Date: Thu, 19 Aug 2004 15:52:26 -0700 From: David Bear <David.Bear@asu.edu> To: "Sheets, Jason (Manpower Contract)" <jason.sheets@hp.com> Cc: freebsd-questions@freebsd.org Subject: Re: securing postgresql on fbsd Message-ID: <20040819225226.GE23172@asu.edu> In-Reply-To: <2D8BB15C7B5C214F81C32D3A83B32736E6B95B@idbexc01.americas.cpqcorp.net> References: <2D8BB15C7B5C214F81C32D3A83B32736E6B95B@idbexc01.americas.cpqcorp.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Aug 19, 2004 at 01:10:41PM -0600, Sheets, Jason (Manpower Contract) wrote: > It looks like you configured the tunnel to point to the public host > (dbsrv1) and configured PostgreSQL to only listen on the loopback > 127.0.0.1. > > Try tunneling to 127.0.0.1:5432 instead of dbsrv1 > > Something like > > ssh -L 5001:127.0.0.1:5432 iddwb@dbsrv1 many thanks... this worked that way I wanted. > > Jason > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of David Bear > Sent: Thursday, August 19, 2004 12:38 PM > To: freebsd-questions@freebsd.org > Subject: securing postgresql on fbsd > > > This is not strictly a freebsd question, but this group is the > smartest around... so > > I've installed postgresql on freebsd 4.10-rel. I want to secure ALL > connections to postgres through ssh. So I first configured postgresql > to connect ONLY to 127.0.0.1 port 5432. Then, when attempting to ssh > to tunnel to it from another machine I got an error: > --------------- > Aug 19 10:31:12 dbsrv1 sshd[157]: Accepted publickey for iddwb from > +129.219.69.200 port 33068 ssh2 > Aug 19 10:31:40 dbsrv1 sshd[159]: error: connect_to 129.219.69.206 > port 5432: > +Connection refused > Aug 19 10:31:40 dbsrv1 sshd[159]: error: connect_to dbsrv1.pp.asu.edu > port 5432: > +failed. > ---------------- > So it looks like I wasn't building the tunnel correctly. From the > remote host connecting to the freebsd postgresql server I was using: > > ssh -L 5001:dbsrv1:5432 iddwb@dbsrv1 > > But it looks like that is forbidden to connect to 'localhost' on the > remote machine, ie on dbsrv1. > > I was able to get postgresql to bind to all adapters, and connect to > it using the above tunnel. But then I have an open port on dbsrv1 > that anyone can connect to... ie I can straight telnet dbsrv1 5432 and > reach it unencrypted. It binds to a public interface, and I don't want > that. > > I know postgresql has an ssl option, but I was hoping to just use ssh > tunneling. > > hoping this make sense, I'm wondering what other freebsd users have > done to secure postgresql? or how to make ssh tunnel 'all the way > through to the remote "localhost"'.. > > -- > David Bear > phone: 480-965-8257 > fax: 480-965-9189 > College of Public Programs/ASU > Wilson Hall 232 > Tempe, AZ 85287-0803 > "Beware the IP portfolio, everyone will be suspect of trespassing" > > > ----- End forwarded message ----- > > -- > David Bear > phone: 480-965-8257 > fax: 480-965-9189 > College of Public Programs/ASU > Wilson Hall 232 > Tempe, AZ 85287-0803 > "Beware the IP portfolio, everyone will be suspect of trespassing" > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" -- David Bear phone: 480-965-8257 fax: 480-965-9189 College of Public Programs/ASU Wilson Hall 232 Tempe, AZ 85287-0803 "Beware the IP portfolio, everyone will be suspect of trespassing"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040819225226.GE23172>