Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Yes, the DB server needs a firewall

Does it?

My recently-built DB machine has 4 listening network sockets that are bound to non-local interfaces: tcp/22:sshd (so I get in), tcp/5432:postgresql (because it's DB server, huh), udp/123:ntpd (so clocks are in sync) and tcp/443:nginx (serves some static pages with performance data).

I don't see any place where firewalling's needed.



Does the server need to be accessible to the world, or only to your web or other application server?

Many DB developers consider it good practice to be paranoid about who has access to the DB port, even if they can't authenticate:

http://www.postgresql.org/support/security/faq/2013-04-04/

"Any system that allows unrestricted access to the PostgreSQL network port, such as users running PostgreSQL on a public cloud, is especially vulnerable. Users whose servers are only accessible on protected internal networks, or who have effective firewalling or other network access restrictions, are less vulnerable.

"This is a good general rule for database security: do not allow port access to the database server from untrusted networks unless it is absolutely necessary. This is as true, or more true, of other database systems as it is of PostgreSQL."


Like in cars, firewalls are a safety measure; they provide a sense of security.

What if done program you don't realization is installed opens a port somewhere?

So not strictly necessary for correct operation, but then again security is all about being defensive....


"I don't see any place where firewalling's needed."

I don't see where I made any mention of your specific setup in my statement.

Famous last words. You won't need a firewall until you need one, but then it's too late.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: