Article ID: 115916, created on Apr 5, 2013, last review on Jun 17, 2015

  • Applies to:
  • Operations Automation
  • Business Automation

Introduction

Operations Automation and Business Automation, when deployed on Linux, use the PostgreSQL database engine for storing system databases. Operations Automation and Business Automation automatically configure PostgreSQL to restrict connections from unauthorized hosts. This usually helps keep malicious traffic out, but it may be not enough in cases when the authorization mechanism of PostgreSQL itself contains a security breach. For an example, refer to CVE-2013-1899.

This document describes how to harden PostgreSQL end-points of Operations Automation and Business Automation system databases.

Resolution

The attached script, pgsql_firewall.sh, should be invoked on the node that runs the system PostgreSQL database (with both Business Automation and Operations Automation).

Prerequisites:

The following packages should be installed on the database host:

  • iptables
  • iptables-ipv6
  • policycoreutils

The script does following:

  • Checks if IPv6 is supported by any network interface on the host. If it is, check if the _ip6tables _utility is available.
  • Explicitly allows all IPv4 and IPv6 addresses specified in pg_hba.conf to connect to port 5432
  • Forbids all other source addresses from connecting to port 5432

Script Execution:

# gunzip pgsql\_firewall.sh.gz
# sh pgsql\_firewall.sh

Important Note:

The script cannot process networks specified in pg_hba.conf correctly. Neither Operations Automation nor Business Automation adds networks into pg_hba.conf automatically. Moreover, one has to avoid this for Service Automation system databases for security reasons.

If your pg_hba.conf contains a network, you have two options:

  1. Replace the pg_hba network's rules with rules for specific hosts, and then run the script (preferable).
  2. Add the respective firewall rules manually after the script's invocation.

Here are the instructions for option (2): Suppose you need to allow the network 10.20.30.0/24 to access the system database. Simply run the following commands after the script's invocation:

iptables -I Postgres 1 -p tcp -s 10.20.30.0/24 -j ACCEPT
service iptables save

Examples:

[root@pba ~]# sh pgsql_firewall.sh
/sbin/ip6tables
Postgres access config file: /var/lib/pgsql/data/pg_hba.conf.
Following IP addresses should be allowed to access PostgreSQL port:
 10.37.131.211
 10.37.131.213
 127.0.0.1
 ::1
Configure IPv4 firewall rules
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
Configure IPv6 firewall rules
ip6tables: Saving firewall rules to /etc/sysconfig/ip6table[  OK  ]
DONE
[root@poa ~]# sh pgsql_firewall.sh
Postgres access config file: /var/lib/pgsql/9.0/data/pg_hba.conf.
Following IP addresses should be allowed to access PostgreSQL port:
 10.37.131.201
 10.37.131.215
 10.37.131.41
 127.0.0.1
 ::1
Configure IPv4 firewall rules
Saving firewall rules to /etc/sysconfig/iptables:          [  OK  ]
DONE

Attachments

caea8340e2d186a540518d08602aa065 5356b422f65bdad1c3e9edca5d74a1ae 198398b282069eaf2d94a6af87dcb3ff e12cea1d47a3125d335d68e6d4e15e07

Email subscription for changes to this article
Save as PDF