Introduction
Operations Automation and Business Automation, when deployed on Linux, use the PostgreSQL database engine for storing system databases. Operations Automation and Business Automation automatically configure PostgreSQL to restrict connections from unauthorized hosts. This usually helps keep malicious traffic out, but it may be not enough in cases when the authorization mechanism of PostgreSQL itself contains a security breach. For an example, refer toCVE-2013-1899.
This document describes how to harden PostgreSQL end-points of Operations Automation and Business Automation system databases.
Resolution
The attached script,pgsql_firewall.sh, should be invoked on the node that runs the system PostgreSQL database (with both Business Automation and Operations Automation).
Prerequisites:
The following packages should be installed on the database host:
- iptables
- iptables-ipv6
- policycoreutils
The script does following:
- Checks if IPv6 is supported by any network interface on the host. If it is, check if the_ip6tables _utility is available.
- Explicitly allows all IPv4 and IPv6 addresses specified in pg_hba.conf to connect to port 5432
- Forbids all other source addresses from connecting to port 5432
Script Execution:
# gunzippgsql\_firewall.sh.gz
# shpgsql\_firewall.sh
Important Note:
The script cannot process networks specified in pg_hba.conf correctly. Neither Operations Automation nor Business Automation adds networks into pg_hba.conf automatically. Moreover, one has to avoid this for Service Automation system databases for security reasons.
If your pg_hba.confcontains a network, you have two options:
- Replace thepg_hbanetwork's rules with rules for specific hosts, and then run the script (preferable).
- Add the respective firewall rules manually after the script's invocation.
Here are the instructions for option (2): Suppose you need to allow the network 10.20.30.0/24 to access the system database. Simply run the following commandsafterthe script's invocation:
iptables -I Postgres 1 -p tcp -s 10.20.30.0/24 -j ACCEPT
service iptables save
Examples:
[root@pba ~]# sh pgsql_firewall.sh /sbin/ip6tables Postgres access config file: /var/lib/pgsql/data/pg_hba.conf. Following IP addresses should be allowed to access PostgreSQL port: 10.37.131.211 10.37.131.213 127.0.0.1 ::1 Configure IPv4 firewall rules iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] Configure IPv6 firewall rules ip6tables: Saving firewall rules to /etc/sysconfig/ip6table[ OK ] DONE
[root@poa ~]# sh pgsql_firewall.sh Postgres access config file: /var/lib/pgsql/9.0/data/pg_hba.conf. Following IP addresses should be allowed to access PostgreSQL port: 10.37.131.201 10.37.131.215 10.37.131.41 127.0.0.1 ::1 Configure IPv4 firewall rules Saving firewall rules to /etc/sysconfig/iptables: [ OK ] DONE