[Techtalk] adsl and dyndns issues with changing IP addresses

Wim De Smet kromagg at gmail.com
Mon Nov 15 21:53:10 UTC 2010 

Hi Anne,

Sorry for the slow reply.

I'm pretty sure postgresql has SSL support and so you are probably
connecting over an SSL channel to the database already, which is good.
The only security problem here is of course that you now have 2 points
of entry into the system, one of which is a database server that
usually isn't as well secured as a ssh server (I'm thinking strength
of user passwords etc.).

It's true that if people get into it, that's all your data exposed to
the world. But then that's usually true for ssh as well. It's just the
factor of an extra entrypoint and an extra headache of having to
patrol DB as well as OS user security.

cheers,
Wim

On Sat, Nov 13, 2010 at 1:17 PM, Anne Wainwright
<anotheranne at fables.co.za> wrote:
> Hello, Wim,
>
> nice to hear from you again and thanks for the pointer.
>
> I am using kexi (part of koffice) as the front end to the database.
> this will connect from any client to the server, given the address,
> user name, password, from within our network or across the net as I
> have got it to do.
>
> Now that the euphoric moment of achieving that has passed I suppose, as
> Monique implies, that this is a high risk.
>
> If I connect using pgadmin then it indicates that its connection is SSL
> encrypted. Not sure if that is the same as ssl tunnelling that I read
> in man ssh, don't think so. I'll investigate this.
>
> In the longer term, it has been in the pipeline for a long time,
> I must get my nascent perl/catalyst app up to scratch so that we can
> access the database through the browser on port 80 which would present
> less opportunity for a security breach.
>
> In the meantime I'll investigate and check all current security to
> make sure it works as I think it works.
>
> bestest
> Anne
>
>
> On Sat, 13 Nov 2010 10:22:18 +0100
> Wim De Smet <kromagg at gmail.com> wrote:
>
>> Hey,
>>
>> I didn't entirely grok your setup, but how about just letting postgres
>> listen on localhost and just using a ssh tunnel if you need direct
>> access?
>>
>> Wim
>>
>> On 12 Nov 2010 20:33, "Anne Wainwright" <anotheranne at fables.co.za>
>> wrote:
>>
>> Hello, every one.
>>
>> I actually have this under control, from one end at least. Using
>> the dyndns service and with ddclient on the office server I get easy
>> ssh connections to there from home through the adsl connection.
>>
>> The situation deteriorates when I want to connect to the postgresql
>> database. In fact I can reliably achieve this, but at the home end the
>> aadsl allocated WAN IP address also changes when I log in afresh. This
>> means that I then have to ssh to the remote site and edit the
>> pg-hba.conf file so that this presents the new IP address as a host
>> address for postgresql. Then I restart postgres to reread the .conf
>> file, and then I get my evening connection afresh.
>>
>> I didn't want to have such a wide mask that half the world could hack
>> in, which is the only thing I can think of at present, so am wondering
>> what the correct procedure should be. Is there any easy way around
>> this?
>>
>> I can't be the first person to stumble on this issue, so all schemes
>> considered with thanks.
>>
>> bestest
>> Anne
>> _______________________________________________
>> Techtalk mailing list
>> Techtalk at linuxchix.org
>> http://mailman.linuxchix.org/mailman/listinfo/techtalk
>

More information about the Techtalk mailing list