How to harden PostgreSQL end-points of Plesk Automation system database to avoid being affected by security breach CVE-2013-1899 ?
Plesk Automation automatically configures PostgreSQL to restrict connections from unauthorized hosts hosts. However, it may be not enough in cases when the authorization mechanism of PostgreSQL itself contains a security breach CVE-2013-1899
The attached script, pgsql_firewall.sh, should be invoked on the management node that runs the system PostgreSQL database.
The following packages should be installed on the management node prior to using the script.
The script does following:
- Checks if IPv6 is supported by any network interface on the host. If it is, check if the _ip6tables _utility is available.
- Explicitly allows all IPv4 and IPv6 addresses specified in pg_hba.conf to connect to port 5432
- Forbids all other source addresses from connecting to port 5432
_pg_hba.conf is the key configuration file of PostgreSQL database engine. It is located in
# gunzip pgsql_firewall.sh.gz # chmod +x pgsql_firewall.sh # ./pgsql_firewall.sh
The script cannot process networks specified in pg_hba.conf correctly. Plesk Automation does not add networks into pg_hba.conf automatically. Thus if your pg_hba.conf contains a network, there are two options available:
- Replace the pg_hba network's rules with rules for specific hosts, and then run the script (preferable).
- Add the respective firewall rules manually after the script's invocation.
Here are the instructions for option (2): Suppose you need to allow the network 203.0.113.0/24 to access the system database. Simply run the following commands after the script's invocation:
iptables -I Postgres 1 -p tcp -s 203.0.113.0/24 -j ACCEPT service iptables save