On 06/09/2018 03:27 AM, Andrew Gierth wrote:
>>>>>> "Thomas" == Thomas Kellerer <spam_eater@gmx.net> writes:
> Thomas> And a blog post going into details on how that specific attack works.
>
> Thomas>
https://www.imperva.com/blog/2018/03/deep-dive-database-attacks-scarlett-johanssons-picture-used-for-crypto-mining-on-postgre-database/
>
> *headdesk*
>
> *headdesk*
>
> *headdesk*
>
> FOR THE LOVE OF LITTLE APPLES, why, in an article as comprehensive as
> this, did they not list in the "quick tips" at the end, the quickest and
> most absolutely basic and essential tip of all, which is "don't open up
> your database for superuser access from the whole world" ???
>
> To become vulnerable to this attack, you have to do ALL of these:
>
> - give your db a public IP
> - allow access (or forget to prevent access) to it through any
> firewall
> - configure pg to listen on the public IP
> - explicitly add an entry to pg_hba.conf that allows access from
> 0.0.0.0/0 for all users or at least the postgres user
> - AND have a guessable password on the postgres user or explicitly
> use "trust" on the above hba entry
>
> *headdesk*
>
Against stupidity the Gods themselves contend in vain.
cheers
andrew
--
Andrew Dunstan https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services