I was wondering: What possibilities are there to connect to a postgres database?
I know off top of my head that there are at least two possibilities.
The first possibility is a brute one: Open a port and let users anonymously make changes.
The second way is to create a website that communicates with postgres with use of SQL commands.
I couldn't find any more options on the internet so I was wondering if there are any. I'm curious if other options exist. Because maybe one of those options is the best solution to communicate with postgres via the internet.
This is more of a networking/security type question, I think.
You can have your database fully exposed to the internet which is generally a bad idea unless you are just screwing around for fun and don't mind it being completely hosed at some point. I assume this is what you mean by option 1 of your question.
You can have a firewall in front that only exposes it for certain incoming IP's. This is a little better, but still feels a little exposed for a database, especially if there is sensitive data on it.
If you have a limited number of folks that need to interact with the DB, you can have it completely firewalled, but allow SSH connections to the internal network (possibly the same server) and then port forward through the ssh tunnel. This is generally the best way if you need to give full DB access to folks that are external to the DB's network since SSH can be made much more secure than a direct DB connection by using a public/private keypair for each incoming connection. You can also only allow SSH from specific IP's through your firewall as an added level of security.
Similar to SSH, you could stand up a VPN and allow access to the LAN upon which the DB sits and control access through the VPN.
If you have a wider audience, you can allow no external access to the database (except for you or a DBA/Administrator type person through SSH tunneling or VPN). Then build access through a website where communication to the DB is done on the server side scripting (php, node.js, rails, .net, what-have-you). This is the usual website set up that every site with a database behind it uses. I assume that's what you mean in your option 2 of your question.
Related
Is there anyway that I can go from a server to a website depending whether you use PuTTY or a browser? I have 1 domain using GoDaddy and I want it to go to a server when using PuTTY but a website when using a browser.
This is what I have so far.
By the way I am using GitHub pages for the browser side of things.
HTTP (port 80 and 443) is an end user protocol, SSH is an admin protocol.
The semantics (meaning rules) behind the Domain Name protocol, is that names represent an IP address, and they in turn represent a physical server.
While it is technically possible to break the semantic rules of a protocol, it is not convenient to do so, as it would make maintenance harder by making the design more opaque. If these were both end user protocols I would understand if maintenance ease were sacrificed for the sake of user ease, but you are trying to create an abstraction for admins, which will only make debugging harder.
The solution is to use a different name for a different server, you can use a subdomain, for example, by using ssh.domain.com if the endpoint is a bastion host that tunnels connections to domain.com, or just use a different domain name altogether if it's a completely different service.
By far NONE answered my question, so i'm stuck here...
Basically i made a program (it's connected to my PostgreSQL database) which, depending on the user input, it will change tables contents in the database. It's a sort of Register/Login sistem. (click here if you want to see the script). When i run it on my pc (Windows 10 x64) it works like a charm. But when a friend of mine (Windows 10 x64) tries to run it (on a different network) it gives him this error:
Could not connect to server: Connection refused
Is the server running on host “192.168.1.113” and accepting TCP/IP connections on port 5432?
(if it can help you, i tried MySQL too, but i got the same result... my friend cannot access to my database!)
So, I was asking my self "Is it even possible allow other devices to access my database from other networks? If yes, how can I do it?"
192.168.*.* is for local network addresses. You would not expect it to be reachable from another network. You would have to figure out what your real address is. For example, by going to https://whatismyipaddress.com/ or just Googling "what is my IP address".
Then you have the question of how often that address changes (which is up to your ISP) and how to get the connection past your home router, which will probably either block it, or at least not route it to your database server, without special configuration to do port-forwarding. This is a basic networking task and at the moment is not specific to PostgreSQL.
Your ISP may also block the connection, as hosting servers on your standard home ISP plan is likely against the terms of service. Although most of them allow it if the traffic never comes to their attention due to high usage or due to abuse complaints.
I'd advise against that, we use databases to store metadata, text based data, data that you need to run queries upon, for storing images what services like instagram, pinterest do-- is they store images on services like s3 which are inexpensive, [because databases are extremely expensive]. Plust the amount of images generate per second, should you receive that amount of traffic would be astronomical.
What they do is they store the images on s3-- it's like your hard disk, but hosted on the internet, and then store the path in the database, and when someone asks for that image, we serve it from s3.
I have a postgres database installed on my raspberry pi that works fine locally within my home network. I would like to be able to access this from outside my home network. I've done some research and from what ive seen port forwarding on my router or using a service like localtunnel or ngrok seem like viable solutions.
However, my question is if these open up any security risks on my home network? If not, then great i can move forward with setting this up (i was leaning towards port forwarding on my router). But if there are concerns, what exactly are they and what steps can I take to have a secure setup?
If you expose your database to the world with a weak password for a database superuser, that will definitely lower your security in a substantial way. Hackers routinely patrol for such weak settings and exploit them, mostly for cryptocurrency mining but also to add you to botnets. In those cases they don't care about your database itself, it is just a way in to get at your CPU/network connection. They might also probe for valuable information appearing in your database, in which case they don't even need to be a superuser.
If you always run the latest bugfix version and use a strong password (like the output of pwgen 20 -sy -1) and use SSL or if you correctly use some other method of authentication and encryption, then it will lower security by only a minimal amount.
If you personally control every password, and ensure they are strong, and test that they are configured correctly to be required for log on (e.g. intentionally enter it wrong once to make sure you get rejected), I wouldn't worry too much the port forwarding providing bad guys access to the machine. If you care about people being able to eavesdrop on the data being sent back and forth, then you also need SSL.
Encrypted tunnels of course are another solution which I am not addressing.
I need your suggestion for the following stuff of Multitenancy:
Actually I need to achieve multitenancy for my app. I've got it for using traditional flow with use of DB/Schema (eg. separate schema for each tenant).
Now I need to integrate user validation from LDAP and multitenancy stuff as well.
So What I am thinking is that If I store User info + DB/Schema info (DB connectivity info) in LDAP Server for more dynamic nature of the app. Because with this I would be able to connect any DB/Schema (irrespective of their physical location).
What's your opinion for this approach, Would it be really feasible?
If there is any cons in your mind, please share.
Thanks & Regards.
It sounds like you are trying to host multiple clients' systems on your system and each client may have multiple connections from multiple locations. From your question it sounds like you are putting one customer per database though databases may not be on the same cluster.
The first thing to do is to lock down PostgreSQL appropriately in the pg_hba.conf and expose only those database/user combos you want to expose. If you are going this route, LDAP sounds sane to me for publishing the connection info, since it means you can control who can access which accounts. Another option, possibly closely tied, would be to issue SSL certs and use certificate authentication by clients, so they can be issued a cert and use it to connect. You could even authenticate PostgreSQL against LDAP.
So there are a lot of options here for using these two together once you have things otherwise properly secured. Best of luck.
I need to turn on networking for MySQLd, but every time I do, the server gets brute-forced into oblivion. Some mean password guessing script starts hammering on the server, opening a connection on port 3306 and trying random passwords forever.
How can I stop this from happening?
For SSH, I use denyhosts, which works well. Is there a way to make denyhosts work with MySQLd?
I've also considered changing the port MySQL is running on, but this is less than ideal and only a stop-gap solution (what if they discover the new port?)
Does anyone have any other ideas?
If it makes a different, I'm running MySQL 5.x on FreeBSD 6.x.
Firewall mysql port out. But this belongs to the serverfault realm, I believe.
I've also considered changing the port MySQL is running on, but this is less than ideal and only a stop-gap solution (what if they discover the new port?)
The stupid bots are the ones that are constantly bashing themselves aginst your port and they don't look for new ports. Move to a different port and you now only have to worry about people who are trying to hack you, rather than the internet background noise of compromised machines scanning random hosts. This is a great improvement.
If you need to let only a few specific machines through to your database you could consider an SSH tunnel between local ports on the database and client machines. It's fairly rare you really want to open a database port to the public internet.
Limit the number of unsuccessful requests a single host can make.
I believe changing the port number from the default one (3306) to some other doesn't improve the security but helps in most cases (at least a bit). Have you tried that in practice or only considered?