[Techtalk] adsl and dyndns issues with changing IP addresses

Anne Wainwright anotheranne at fables.co.za
Sun Nov 21 21:21:20 UTC 2010


Hello, Monique & Wim

Thanks for further suggestions and comment.

I have beefed up the passwords all around, both for machine user
accounts (and thus for any administrative ssh connection), and for
database users as well (thus for connection through the open port). I
have verified that the database client connection is indeed running ssh
protocol and that the database implements md5 password encryption.

From "Practical Postgresql"
"When PostgreSQL receives a connection request it will check the
pg_hba.conf file to verify that the machine from which the application
is requesting a connection has rights to connect to the specified
database. If the machine requesting access has permission to connect,
PostgreSQL will check the conditions that the application must meet in
order to successfully authenticate."

Thus unless someone is able to imitate the IP address of my machine,
& match the user password then they can't connect. Hopefully.

This brings me back to the issue of my machine having a dynamically
allocated IP address from my ISP which changes from the one given in
the pg_hba.conf file mentioned above. I take this to be insoluble and
will temporarily live with it.

Monique says:
> For a full-up professional setup where you have clients using the
> system, I'd want the database to be inaccessible from outside, and a
> user would have to log onto a system, then from there onto the DB.

& Wim says:
> but how about just letting postgres
> listen on localhost and just using a ssh tunnel if you need direct
> access?

which sounds like the same thing. ie get my client to connect across an
existing ssh connection running to a user account rather than connect
through an open port. Sounds like this should be possible but not sure.

Maybe I'll get my web access up these coming holidays ...

Meanwhile, as they say, 'watch this space'.

Thanks for all the thought and input given. I'll post any significant
finds or changes

bestest
Anne



On Mon, 15 Nov 2010 15:40:46 -0700
"Monique Y. Mudama" <monique at bounceswoosh.org> wrote:

> On Fri, Nov 12 at 23:12, Anne Wainwright penned:
> > Hello, Monique,
> > 
> > ooops...
> > 
> > well, you have to have a user account on the server, there is the
> > question of the postgresql username and md5 encrypted password. it
> > is an ssh connection. the port is redirected via the nat whatever it
> > is in the router to that server.
> > 
> > Should I shut it down quick? I am not too (at all) hot on security
> > across the net since this is first time that I have ever done this.
> > 
> > Seriously, what would you suggest as my next step to improve
> > security?
> 
> Sorry for the delay ... I guess it depends on how paranoid you are and
> what resources you have at your disposal.  I like to minimize the
> number of avenues an attacker can exploit, so I try to keep as few
> ports as possible exposed.  But I am by far not a security expert.
> 
> For a full-up professional setup where you have clients using the
> system, I'd want the database to be inaccessible from outside, and a
> user would have to log onto a system, then from there onto the DB.
> 
> I haven't looked into the ssh aspect of the login you're describing;
> maybe that addresses most of the security concerns.  
> 


More information about the Techtalk mailing list