Home > Blogs > VMware vFabric Blog


Securing your vFabric PostgreSQL VM

Especially in today’s world, security is top of mind for app developers, DBAs, and CIOs alike. One of the benefits that VMware strives to include in every product is a system of reasonable defaults for security. This generally means that users should expect a reasonably secure middleware application when they deploy a VMware app by default.

vFabric Postgres (vPostgres) is no different. There are not that many security settings in vFabric Postgres. However, there are a few things you can look at as options to further harden your deployment, and of course, the virtual machine that you are deploying them on, particularly if it is exposed to an external environment.

SSL Connection Restrictions

vFabric Postgres has as default users postgres and root, and both can connect to the virtual machine with SSL. If you want to restrict access to the virtual machine for certain users or a group of users, here is some advice to follow:

1. In order to restrict SSL connection only to the members of the group vFabric (the user postgres is a member of this group by default), add this line at in /etc/ssh/sshd_config.

AllowGroups vfabric

2. If you really want to be more severe and restrict the access of ssh only to user postgres, add this line in /etc/ssh/sshd_config.

AllowUsers postgres

Now, only user postgres is able to connect with ssh.

You can of course do far more things like restricting the number of connections, blacklisting IPs, etc. Look at man ssh for more information and edit sshd_config.

Database Instance Security

Database connection security can be controlled directly with pg_hba.conf, which is located in folder /var/vmware/vpostgres/current/pgdata/. You can refer to the official documentation of PostgreSQL 9.2 for a detailed explanation of connection restriction settings in vFabric Postgres. However, there are a couple of recommended settings you should use inside your virtual database appliance.

As a default during initialization, only the database superuser postgres is available. We recommended you manage your database appliance with several layers of database users to have a good control of who can do what. If you don’t the scenarios can get ugly—let’s imagine that you do not have layers of security and the user of a given application, who performs only SELECTs for a given application, has superuser rights. In this case, your application lacks in security. So, the database user doing only SELECT operations might also do an SQL injection and manipulate the complete database instance. Fortunately, vFabric Postgres provides the necessary tools to create secured layers of users.

If you look at the default security level used in vFabric Postgres, you will find the following line:

host    all          all            0.0.0.0/0       md5

This means that all the users performing an md5 authentication are able to connect to the database appliance from all IPs.

However you can be *more* restrictive. Let’s add the following lines in pg_hba.conf.

host    all             postgres        0.0.0.0/0       md5
host    foo             all             0.0.0.0/0       md5

The first line means that only the user postgres is able to connect to all the databases—this is with md5 and without any restriction of origin IPs. The second line means that all the users can connect to the database foo (useful if you want to create a database people can play with freely). If you want to load some settings modified within pg_hba.conf, remember to restart the database server with something similar to that in the VM:

/opt/vmware/vpostgres/current/bin/pg_ctl restart -D /var/vmware/vpostgres/current/pgdata/

You can also reboot your machine entirely.

To extend this example, let’s create the database foo with a new user userfoo who is able to login to the database.

psql -h 192.168.11.3 -U postgres postgres
psql.bin (9.2.2)
Type "help" for help.
postgres=# create database foo;
CREATE DATABASE
postgres=# CREATE USER userfoo LOGIN;
CREATE ROLE

Now, let’s test the connections for the new user.

$ psql -h 192.168.11.3 -U userfoo postgres
psql: FATAL:  no pg_hba.conf entry for host "192.168.11.3", user "userfoo", database
"postgres", SSL off

As expected, userfoo cannot connect to database postgres.

But he can do it for database foo.

>$ psql -h 192.168.11.3 -U userfoo foo
Password for user userfoo:
psql (9.3devel, server 9.2.2)
Type "help" for help.
foo=> create table ab (a int);
CREATE TABLE

Be sure to check the system catalog for pg_roles—these summarize the current roles in your database appliance.

You can have better granularity control on permissions by using GRANT and REVOKE to allow or restrict SQL-specific operations for some users. It’s a great practice to ensure applications have really-well designed user controls.

Lastly, remember that once settings are done, you can always take a dump of the database with pg_dump. So, you do not need to do that once again. Backups are your friends!

About the Author: Michael Paquier is a member of PostgreSQL technical staff at VMware. He is involved for many years with community development of PostgreSQL and Postgres-XC, and has worked on multi-master database technologies. He has also interest in parallel query processing and concurrent SQL processing.

22 thoughts on “Securing your vFabric PostgreSQL VM

  1. youtube views adder

    You have made some really good points there. I checked on the net for more
    information about the issue and found most people will go along with your views on this site.

    Feel free to surf to my page :: youtube views adder

    Reply
  2. Scott

    Marvelous, what a weblog it is! This blog gives useful data
    to us, keep it up.

    Reply
  3. Jacklyn

    It’s aсtually a cool and helpful piece
    of information. I’m glad tht you shared this useful info
    with us. Plеase stay us up to date lіke this. Thank youu for
    sharing.

    My homepage … hotels in pachmarhi, Jacklyn,

    Reply
  4. Rocket Notify review and bonus

    Hi to every one, since I am in fact keen of reading this webpage’s post to be updated daily.

    It consists of pleasant material.

    Reply
  5. baggage claim

    Nice weblog here! Also your web site quite a bit up fast!
    What web host are you the use of? Can I am getting your associate link in your host?

    I wish my site loaded up as quickly as yours
    lol

    Reply
  6. kids and toddlers recipes

    The expert teachersalso moldyour child by training them
    to possess efficientcommunication skills. The
    main point to remember throughout, for increasing the profitability of running a day care
    business, is that you need maintain a strong base of kids.
    Nor do their jobs enable them to have enough income to attain quality affordable child care.

    Reply
  7. Grilled Sausage & Sweet Mustard In Tortillas Recipes

    And they certainly should not be close enough that they
    could slip or trip and fall in. By taking the concepts in the above article to heart, you will be prepared to experience the outdoors like an expert.
    However, it is best that you use only white gas unless during cases when you
    run out of it and can.

    Reply
  8. Casual Sex Chula Vista

    Hi there just wanted to give you a brief heads up and let you know a few of the pictures aren’t loading properly.
    I’m not sure why but I think its a linking issue.
    I’ve tried it in two different internet
    browsers and both show the same results.

    My homepage – Casual Sex Chula Vista

    Reply
  9. bi-sexual teen

    I think the admin of thiѕ web site is truly working hard in support of his web site, since here every stuff is quality based
    stuff.

    Reply
  10. muscle building tips|strength training| strength training tips|muscle building|muscle building tips|muscle workouts|kettlebell workouts|how to build muscle|building muscle tips|workouts for strength}

    Whoa! This blog looks exactly like my old one! It’s on a totally
    different subject but it has pretty much the same layout and
    design. Superb choice of colors!

    Reply
  11. 16 gal/hr Iced Tea Brewer - Model TB3 - Bunn 36700.0055

    Hola! I’ve been reading
    your blog for some time now and
    finally got the courage to go ahead and give
    you a shout out from Austin
    Texas! Just wanted to say keep up the fantastic job!

    Reply
  12. Petra

    Amazing! I’m really enjoying the style
    and design of your site. Are yoou using a custom made theme or is this reeadily available to all
    users? If youu don’t want to sayy the name of it out in the
    general public, please make sure to e-mail me at:
    petra.knoll@gmail.com. I’d love to get my
    hands on this template! Many thanks.

    Reply
  13. خرید سرور مجازی ایران

    I am truly happy to read this webpage posts which includes plenty of helpful facts, thanks for providing such statistics.

    Reply
  14. styrolution.in

    UIURURETUIERU JSDJFJSDFJSDJFSDF

    Reply
  15. tnewslive.in

    nmvnm jkdjkfdjfidji wed nedlkwqeklqw

    Reply
  16. styrolution.in

    L;JL;KJL; NMVBN VBZVZGHC

    Reply
  17. content4u.in

    AOIEJEH IOJIFGRJHE L;HPRTY=OTRY0-

    Reply
  18. evolvecorp.in

    OPKLOPKMLMKK SZSESZDXDXXRRT

    Reply
  19. دانلود اسکریپت

    I am truly happy to read this webpage posts

    Reply
  20. تیم لذت خرید

    طراحی سایت

    Reply
  21. فارسی موزیک

    فارسی موزیک

    Reply
  22. download movie

    extend the framework into an open source solution

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*