I'm setting up a server, with postgresql running as a service. I can use nmap to get current postgresql version
nmap -p 5432 -sV [IP]
It returns:
PORT STATE SERVICE VERSION
5432/tcp open postgresql PostgreSQL DB 9.3.1
Is there a way to hide the postgresql version from nmap scanning? I've searched but it's all about hiding the OS detection.
Thank you.
There's only one answer here: Firewall it.
If you have your Postgres port open, you will be probed. If you can be probed, your service can be disrupted. Most databases are not intended to be open like this to public, they're not hardened against denial-of-service attacks.
Maintain a very narrow white-list of IPs that are allowed to connect to it, and whenever possible use a VPN or an SSH tunnel to connect to Postgres instead of doing it directly. This has the additional advantage of encrypting all your traffic that would otherwise be plain-text.
You have a few options, but first understand how Nmap does it: PostgreSQL database server responds to a malformed handshake with an error message containing the line number in the source code where the error occurred. Nmap has a list of possible PostgreSQL versions and the line number where the error happens in that particular version. The source file in question changes frequently enough that Nmap can usually tell the exact version in use, or at least a range of 2 or 3 version numbers.
So what options do you have?
Do nothing. Why does it matter if someone can tell what version of PostgreSQL you are running? Keep it up to date and implement proper security controls elsewhere and you have nothing to worry about.
Restrict access. Use a firewall to limit access to the database system to only trusted hosts. Configure PostgreSQL to listen only on localhost if network communication is not required. Isolate the system so that unauthorized users can't even talk to it.
Patch the source and rebuild. Change PostgreSQL so that it does not return the source line where the error happened. Or just add a few hundred blank lines to the top of postmaster.c so Nmap's standard fingerprints can't match. But realize you'll have to do this every time there's a new version or security patch.
Related
I have tried to connect to a DB2 DB using the command line:
schemacrawler --server=db2 --host=*myhost* --port=*myport* --database=*db2database* --user=*myuser* --password=*mypassword* --info-level=minimum --command=list --log-level=CONFIG
I get the following error:
SchemaCrawler 16.11.7
Error: Could not connect to
jdbc:db2://pathtodb:retrieveMessagesFromServerOnGetMessage=true;, for
user 'user', with properties {}: [jcc][t4][2043][11550][4.28.11]
Exception java.net.ConnectException: Error opening socket to server
myserver on port myport with message: Connection timed out: connect. ERRORCODE=-4499, SQLSTATE=08001
I have the suspicion that there is a problem in the company's firewall that does not let me connect from SchemaCrawler. I can connect to the db with DBeaver from a virtual machine (Saas). Since DBeaver is running SaaS I do not have access to the VM and cannot test from there.
How could I check if the network is blocking SchemaCrawler requests from my local machine (Windows 10 Enterprise 1909)?
Windows-10 includes ping and tracert and nslookup tools (you run these in a CMD window). These ping and tracert may help you determine if there is IP-level connectivity between your Win10 box and the target Db2-server. Refer to any good textbook to learn how to use these tools.
Windows-10 also has its own software-firewall ( run from the start box if you search firewall) which needs you to add a rule to open the relevant port for tcp and udp traffic. Your login may need to have suitable permissions to make changes like this, so in some corporate environments access is restricted. If this is the case, open a ticket with relevant support teams, as that is not a matter for StackOverflow.
If adding such a rule does not fix your symptom, then you should contact the network support people in your company to open the relevant ports or provide another means for you to achieve the goal.
Note also that there are other tools (arguably better tools) to get a DDL report for a Db2 database, including the db2look utility which is present in the Db2 fat client, and also present on Db2-LUW servers. If the Db2-server runs on either i-series or Z/OS then other tools exist for those environments so talk with the relevant administrators.
I am trying to do a local installation of a large but simple installation PostgreSQL 9.3.2 to hold about 14 GB of data, currently in a CSV file. This is my first attempt to install any database other than SQLite. The installer is asking me questions that I do not know how to answer and that seem inappropriate for an installation that I do not want to make available to the internet. I expect to be interacting with it through the R package RPostgreSQL. The database will contain primarily US Census data that is publicly available for free, and so not a tempting target. For instance, the installer asks me what port to use, and seems to require that I set a password. I prefer to set it up with no internet or remote accessibility at all, even from me.
Could someone tell me or point me toward documentation for producing a strictly local installation with minimal irrelevant hoops to jump through, both on installation and on use? I did a series of searches on variant of PostgreSQL & “install locally” or “local installation” or “create local database”, etc. but these were unproductive.
This will be on an ancient but lightly rebuilt Compaq laptop, Intel Core 2 Duo, Windows XP OS with SP3.
Any help folks could offer much appreciated.
If you're looking for an install that doesn't run a server and listen on TCP/IP, it isn't really possible, because PostgreSQL is a client/server database that (on Windows) communicates with clients solely over TCP/IP.
A "local only" install is one where the TCP/IP socket listens only on localhost, i.e. 127.0.0.1.
If you were really keen, you could not install the Windows service for the server at all, and just grab the binaries. To use PostgreSQL you would then have to initdb a new database directory, and start PostgreSQL when you wanted it with pg_ctl. See the user manual for details on these commands. When running, PostgreSQL would still be a server listening on a TCP/IP port, there's just no way around that on Windows.
On UNIX systems PostgreSQL can listen on a unix socket (a bit like a windows named pipe). This is not supported by PostgreSQL on Windows. Even then, it still has to run a server.
If you're looking for something like an embedded, on-demand, or in-memory PostgreSQL that runs out of the client library, there is no such thing.
I followed these steps to install PostgreSQL with Homebrew (first time using Homebrew): http://dhilipsiva.blogspot.se/2013/02/install-postgresql-on-os-x-using.html
The last step didn't work. I assume it is supposed to start the server. However, I think I successfully created a database cluster and started the database server following the official documentation (17.2 and 17.3): http://www.postgresql.org/docs/9.2/interactive/runtime.html
My problem is that when I try to create a database using createdb mydb in the terminal, I get the message:
createdb: could not connect to database postgres: could not connect to server: No such file or directory
Is the server running locally and accepting
connections on Unix domain socket "/var/pgsql_socket/.s.PGSQL.5432"?
I'm very confused since a lot of the concepts being thrown around here (like sockets, path variables etc) are new to me. I'm also confused about the directory structure in Mac OS X, since I recently migrated from Windows. If anyone could just point me in the right direction it'd be much appreciated.
Update
As always, once you post, you find the answer. Well almost: the accepted answer in this post leads me to the conclusion that my Unix domain socket (whatever that is) is located in a place that Postgres doesn't expect.
Can't get Postgres started
Using the -h flag, it works. So the question is, how do I configure Postgres to look for the socket in the right place?
You are apparently running the default OS X supplied PostgreSQL client, which expects the Unix-domain socket in a different location than the Homebrew version. Basically,
/usr/bin/{createdb,psql,...} ---> /var/pgsql_socket/.s.PGSQL.5432
/usr/local/bin/{createdb,psql,...} ---> /tmp/.s.PGSQL.5432
So make sure your path is set correctly so that you are calling the right one.
Alternatively, you can override the socket location like this:
createdb -h /tmp ...
Please, any help will be appreciated, i have an OpenERP installed with all its components (Postgres, Web server, Server) in a VPS..
And I would like to use this PostgreSQL from my local machine trough pgAdmin3. I am still not able to do so.
I read some answers about this issue, by modifing Configuration Files in Postgresql and some others telling me to use SSH Tunilling trough Putty, but when i go to connect trough PGADMIN3 i can't have a successfuull connection
So , Please if any one could Give me in details What i have to do, to make this happen successfully,
First you need to ask yourself a bunch of questions. The answer to this isn't really that simple which is why it hasn't been answered. These involve risk management questions that happen when you set up your db for access across the internet. You really want to start by reading the administration and authentication sections of the PostgreSQL docs. You may want to do an SSH tunnel or just require SSL.
Personally I would configure PostgreSQL to require SSL if you are going to do that. Set up an entry of type hostssl in the pg_hba.conf for the host that will be connecting to it. Set up firewall rules to allow connections from that host. Ideally set up a client cert but not quite sure how to make OpenERP use that.
Then configure OpenERP. I don't know which version you are running but these docs may get you started.
Are there any conflicts if both Interbase and Firebird are installed on the same workstation?
Does anyone have any tips or best practices for this?
Interbase uses port 3050 by default. So, you have to choose another number for Firebird server on the same machine. Port number is specified through firebird.conf file. You have to restart Firebird service after changing conf file.
Actually I have four different versions of FB running on my development computer. In this case every instance must use its own port number and have unique instance name given using -n switch of instsvc.
Dont forget to specify custom port number in a connection string. For port 3051 the string will look like:
Server/3051:path_to_db_file
A good link to check
If you change the port for either Firebird or InterBase, then it's OK.