Article ID: 127933, created on Dec 28, 2015, last review on Dec 28, 2015

  • Applies to:
  • Plesk Automation 11.5

Question

How to harden PostgreSQL end-points of Plesk Automation system database to avoid being affected by security breach CVE-2013-1899 ?

Answer

Plesk Automation automatically configures PostgreSQL to restrict connections from unauthorized hosts hosts. However, it may be not enough in cases when the authorization mechanism of PostgreSQL itself contains a security breach CVE-2013-1899

The attached script, pgsql_firewall.sh, should be invoked on the management node that runs the system PostgreSQL database.

The following packages should be installed on the management node prior to using the script.

  • iptables
  • iptables-ipv6
  • policycoreutils

The script does following:

  1. Checks if IPv6 is supported by any network interface on the host. If it is, check if the _ip6tables _utility is available.
  2. Explicitly allows all IPv4 and IPv6 addresses specified in pg_hba.conf to connect to port 5432
  3. Forbids all other source addresses from connecting to port 5432

NOTE: _pg_hba.conf is the key configuration file of PostgreSQL database engine. It is located in /var/lib/pgsql/9.1/data/ directory.

Script Execution:

# gunzip pgsql_firewall.sh.gz
# chmod +x pgsql_firewall.sh
# ./pgsql_firewall.sh

Important Note:

The script cannot process networks specified in pg_hba.conf correctly. Plesk Automation does not add networks into pg_hba.conf automatically. Thus if your pg_hba.conf contains a network, there are two options available:

  1. Replace the pg_hba network's rules with rules for specific hosts, and then run the script (preferable).
  2. Add the respective firewall rules manually after the script's invocation.

Here are the instructions for option (2): Suppose you need to allow the network 203.0.113.0/24 to access the system database. Simply run the following commands after the script's invocation:

iptables -I Postgres 1 -p tcp -s 203.0.113.0/24 -j ACCEPT
service iptables save

Search Words

CVE-2013-1899

33a70544d00d562bbc5b17762c4ed2b3 caea8340e2d186a540518d08602aa065 e0aff7830fa22f92062ee4db78133079

Email subscription for changes to this article
Save as PDF