AW: Postgres

Rudolf Bargholz rudolf at bargholz.ch
Wed Aug 9 14:31:40 UTC 2023 

Hi Chris,

The IP 83.97.73.87 is geolocated to Moscow.

Regards

Rudolf Bargholz

-----Ursprüngliche Nachricht-----
Von: omnisdev-en <omnisdev-en-bounces at lists.omnis-dev.com> Im Auftrag von Doug Easterbrook via omnisdev-en
Gesendet: Mittwoch, 9. August 2023 15:56
An: OmnisDev List - English <omnisdev-en at lists.omnis-dev.com>
Cc: Doug Easterbrook <doug at artsman.com>
Betreff: Re: Postgres

hi Chris:

as Paul says, put something in your firewall to block this ip as the request is coming from outside.

Judging by the date/time stamp on the logs, it is a process repeatedly trying to login — which means it is an automated process, likely trying all sorts of combinations of Id’s and passwords to try to force connect.


It also says ’no encryption’, so it could be that you allow connections externally to your database without requiring a TLS encrypted session.   I’d fix that right away and consider making SSL required for connection at the server.    (it would also mean setting up your runtimes to have SSL on them)….       being able to connect without SSL means somebody could be sniffing your connection looking for passwords.

It is also using the ‘postgres’ user which is the known user for all postgres installations.

I’d also make sure that you are using scram-sha-256 for authenticaton method on all external ip addresses (it is like a salted MD5 one way encryption - make it harder to break in).


he final question might be why there external access to the postgres server?   in some cases, its necessary, but if you control all clients and endpoints, you might consider using VPN’s to connect to your network.    If thats possible, then you can close down port 5432 externally and this will stop.




here’s an article by Enterprise DB about hardening postgres that has a lot more information than briefly provided.   Some of its is not relevant (like row level security).  bu it does talk

https://www.enterprisedb.com/blog/how-to-secure-postgresql-security-hardening-best-practices-checklist-tips-encryption-authentication-vulnerabilities




Chris, bottom line somebody is obviously trying to gain un authorized access to your database.       it would call for immediate action and the general order that I’d do it would be:

make sure that you only allow access from specific IP addresses that you know externally.   
close port 5432 externally on the firewall asap

get everybody to use VPN’s who are allowed access to the database that are external to your offices
update all clients able to use encrypted sessions in omnis
implement TLS and force scam-sha-256 as the ‘method’ for access
monitor the logs daly to see if the attack vectors and ip addresses change


knowing that you are getting log messages preventing access is GOOD.   it means they haven’t gotten through yet from that IP address.   Yet you don’t know if people are trying to log in on other IP addresses — since IP addresses that are valid in pg_hba.conf are usually not logged if they repeatedly try to log in.   This is where you want TLS, and scram, and VPN and all that other stuff




there is an ‘auth-delay’ feature that will slow down invalid attempts before logging them-   it is not often used, but it delays invalid attempts for a bit.   it will also delay those who make legitimate mistakes (which is why it is not often used), so I don’t advise this approach.

https://www.postgresql.org/docs/current/auth-delay.html




It feels like being violated whne somebody repeatedly tries this kind of thing.    at least you know this time.      time to tighten up.





Doug Easterbrook
Arts Management Systems Ltd.
mailto:doug at artsman.com
http://www.artsman.com
Phone (403) 650-1978

> On Aug 8, 2023, at 6:50 PM, Chris Hughes via omnisdev-en <omnisdev-en at lists.omnis-dev.com> wrote:
> 
> 
> Hi one and all.
> 
> Having trouble logging onto Postgres from my Laptop (windows 7 )
> 
> However able to logon from 2 other Desktops.
> 
> Went to check out Postgres Log (Ubuntu22.04)
> 
> This is what I am getting
> 
> 2023-08-08 16:55:05.943 AEST [173707] postgres at postgres FATAL:  no pg_hba.conf entry for host "83.97.73.87", user "postgres", database "postgres", no encryption
> 2023-08-08 16:55:39.798 AEST [173745] postgres at postgres FATAL:  no pg_hba.conf entry for host "83.97.73.87", user "postgres", database "postgres", no encryption
> 2023-08-08 16:56:16.846 AEST [173784] postgres at postgres FATAL:  no pg_hba.conf entry for host "83.97.73.87", user "postgres", database "postgres", no encryption
> 2023-08-08 16:56:53.631 AEST [173833] postgres at postgres FATAL:  no pg_hba.conf entry for host "83.97.73.87", user "postgres", database "postgres", no encryption
> 2023-08-08 16:57:27.655 AEST [173881] postgres at postgres FATAL:  no pg_hba.conf entry for host "83.97.73.87", user "postgres", database "postgres", no encryption
> 2023-08-08 16:57:59.848 AEST [173934] postgres at postgres FATAL:  no pg_hba.conf entry for host "83.97.73.87", user "postgres", database "postgres", no encryption
> 2023-08-08 16:58:30.662 AEST [173966] postgres at postgres FATAL:  no pg_hba.conf entry for host "83.97.73.87", user "postgres", database "postgres", no encryption
> 2023-08-08 16:59:04.015 AEST [174017] postgres at postgres FATAL:  no pg_hba.conf entry for host "83.97.73.87", user "postgres", database "postgres", no encryption
> 2023-08-08 16:59:17.235 AEST [174041] postgres at postgres FATAL:  no pg_hba.conf entry for host "83.97.73.87", user "postgres", database "postgres", no encryption
> 2023-08-08 16:59:38.062 AEST [174082] postgres at postgres FATAL:  no pg_hba.conf entry for host "83.97.73.87", user "postgres", database "postgres", no encryption
> 
> Only problem this is that there are 38,000 lines worth, does anybody else have similar experiences.
> 
> HBA seems to be doing its job.
> 
> IP address seem to be coming from Russia and Indonesia.
> 
> 
> Chris Hughes
> 
> Copious Data Pty Ltd (Trading as Atad Data)
> 3 Springwell Avenue
> Springwood QLD 4127
> Phone No:- 07 3208 6347
> Mobile No:- 0409 263 349
> Email:- ataddata at bigpond.net.au
> Web Site:- http://ataddata.com.au
> 
> _____________________________________________________________
> Manage your list subscriptions at https://lists.omnis-dev.com
> Start a new message -> mailto:omnisdev-en at lists.omnis-dev.com 

_____________________________________________________________
Manage your list subscriptions at https://lists.omnis-dev.com
Start a new message -> mailto:omnisdev-en at lists.omnis-dev.com

More information about the omnisdev-en mailing list