Assuring the security of PostgreSQL and all open source database systems is critical as many learned with the PgMiner botnet attacks in December 2020. Having an understanding of, and visibility into, how these attacks happen and following standard best practices is the best way to make sure that your data is not at risk.
This blog details the latest security issue with PostgreSQL, how to fix/prevent these attacks and how to ensure security of your PostgreSQL database instances.
Overview and prevention of the PgMiner botnet attacks
Attacks like the PgMiner botnet attack essentially scrape across the Internet looking for misconfigured PostgreSQL servers. This process involves scanning blocks of IP addresses, identifying Postgres servers and then attempting to brute force attack the authentication on those servers.
A Postgres user on Ubuntu systems does not have a password by default, preventing attackers from accessing the system account via SSH. Only users who already have superuser access to the system can su postgres to authenticate as the system user. From there, a unique password can be created for connecting to the Postgres service.
By default, these connections are not exposed to the outside network. As outlined in the server guide, the postgresql.conf file would need to be edited by the user to allow the service to listen on a network interface available outside the host.
The Postgres service on Ubuntu is designed to limit connections via the pg_hba.conf file, enabling a security best practice: In order to permit a client access to authenticate to the Postgres server, the account, database and IP address of the client must be allowed in the pg_hba.conf file.
It is recommended that users keep the permitted clients as explicit and narrow in their definition as possible, and to:
- Only allow permissions to the particular databases each specific user should have access to
- Only allow those users to connect from an allowed list of network addresses
Open source database security
With PostgreSQL’s install base increasing by 52 percent in 2020, and with open source database adoption increasing year on year, securing the technology that stores company and customer data is critical. Access controls and authentication measures are key concerns when managing the security of databases, but as with any software, unidentified and unpatched vulnerabilities should also be a key concern. If vulnerabilities go undetected and updates are not implemented, insecure applications and systems could lead to unauthorised access, leakage and corruption of data
When assessing your database security, consider where gaps in security may be most prevalent. For example, with an increase in multi-cloud use, security best practices may not yet be applied in the public cloud, or vulnerability remediation delayed due to lack of visibility and accountability across an organisation.
CVE patching for PostgreSQL on AWS, Azure
Vulnerability patching for open source databases and applications like PostgreSQL running in public clouds is a key concern for security and infrastructure teams. Ubuntu’s open source security extends to systems and applications on AWS and Azure through a comprehensive, secure and compliant image – Ubuntu Pro.
Ubuntu Pro is a premium Ubuntu OS image that allows enterprises to benefit from extended maintenance, broader security coverage and critical compliance features by simply selecting and running an image on a public cloud— with no contract required.
Key features of Ubuntu Pro include:
- 10 years of stability, with extended security maintenance and CVE patching backported to the existing version of the application
- Security coverage for hundreds of open source applications like PostgreSQL, Apache Kafka, NGINX, MongoDB and Redis.
- Kernel Livepatch, which allows for continuous security patching and higher uptime and availability by allowing kernel security updates to be applied without a reboot
- Customised FIPS and Common Criteria EAL-compliant components for use in environments under compliance regimes such as FedRAMP, PCI, HIPAA and ISO
- Optional up to 24/7 phone support
24/7 PostgreSQL support
With IT teams using diverse technologies across different platforms, becoming an expert on each piece of the puzzle is not likely or scalable. Additionally, 40% of respondents in a 2019 Percona survey cited ‘Lack of support’ as a top concern with open source data management. Depending on team capacity and an organisation’s reliance on a technology, additional support services may be needed to give teams access to open source database experts.
Canonical provides 24/7, enterprise-grade support for PostgreSQL through Ubuntu Advantage for Applications. Ubuntu Advantage is a single, per-node package of the most comprehensive enterprise security and support for open source infrastructure and applications, with managed service offerings available.
Full-stack application support includes PostgreSQL and other open source database technologies, like MySQL, Redis and ElasticSearch, with response time guaranteed through subscription SLAs. See which applications are covered, and contact us with any questions you may have.
Offloading PostgreSQL security and operations
Open source is ubiquitous in applications, and more than 80 percent of all cyberattacks specifically target applications. Application attacks are both harder to detect and more difficult to contain compared to network attacks. Hackers take the easiest path when determining exploits and target applications with the best attack surface opportunities.
More and more enterprises are realising that managing their PostgreSQL databases and overall open source estate will entail significant investments of time, resources and budget, impacting both developer productivity and the overall software development lifecycle. Cyberattacks such as PgMiner botnet are a stark reminder of the need for active security monitoring and timely issue resolution by application-management and security teams. 2020 Open Source Security and Risk Analysis report from Synopsis highlights that 99% of analysed enterprise application codebases contain open source software. Given the large number of open source applications and databases in enterprises, it is difficult to have dedicated teams for each open source application with relevant experience to manage them and keep them secure.
Enterprises now have the option of offloading the complexity of managing open source applications like PostgreSQL to managed service providers such as Canonical. Canonical’s engineers ensure that open source databases and apps remain secure and performant at all times with active monitoring and full life-cycle management.
With Canonical’s fully managed PostgreSQL service, engineers will keep Postgres and open source apps secure and updated with real-time issue resolution and patching wherever they run – on Kubernetes, in the public or private cloud.