Securing PostgreSQL 101
Suggest editsThe following are basic practices for securing your PostgreSQL installation.
Install the latest version
Always use the most recent version. Regularly update PostgreSQL to the latest stable release. For EDB releases, see the EDB repositories.
Apply security patches. Ensure security patches are applied promptly. For EDB security vulnerabilities and advisories, see the EDB Vulnerability disclosure policy.
Use strong authentication methods
PostgreSQL supports several authentication methods. Always use the most secure option available.
Password authentication. Ensure that all users authenticate with strong passwords. Because it provides stronger hashing, use
scram-sha-256
for password hashing instead ofmd5
.LDAP/Kerberos/SSO. Integrate centralized authentication systems like LDAP, Kerberos, or single sign-on (SSO) for enhanced security.
Limit access with pg_hba.conf
PostgreSQL’s host-based access control file (pg_hba.conf
) is your first line of defense for controlling who can connect to the database. To ensure security:
Restrict host connections. Allow only trusted hosts.
Use CIDR notation. Limit access to specific IP ranges in
pg_hba.conf
. Example:
- Use local method. For connections from the same machine, use Unix domain sockets with peer authentication, limiting connections to system users.
Enforce SSL/TLS connections
Encrypt traffic between the client and PostgreSQL server using SSL. This practice can prevent sensitive data (like passwords and query results) from being intercepted.
Enable SSL. Ensure that
ssl = on
inpostgresql.conf
.Use valid SSL certificates. Use certificates for secure communication (self-signed or CA-signed).
Force SSL. Ensure all connections use SSL via
pg_hba.conf
. Example:
Use role-based access control (RBAC)
PostgreSQL implements a robust role-based access control system. Some key practices include:
Principle of least privilege. Grant roles the minimum permissions necessary.
Separate roles for users/applications. Avoid using superuser accounts or the default postgres role for daily operations.
Use GRANT/REVOKE. Assign specific privileges to roles. Example:
Use encrypted passwords
Make sure that passwords are stored using secure hashing methods (scram-sha-256 in modern PostgreSQL versions).
- Enable scram-sha-256. Configure PostgreSQL to store passwords securely by setting
password_encryption = 'scram-sha-256'
in yourpostgresql.conf
file:
Audit and monitor database activity
Enable logging and auditing to keep track of database activity.
Enable logging. Log all user connections and queries.
Track role changes. Regularly audit role modifications and permissions to detect unauthorized changes.
Use pgAudit. Third-party tools like pgAudit can enable detailed audit logging.
Enable connection and query logs. Capture login attempts, successful connections, and queries executed using settings in
postgresql.conf
:
Regular backups and secure backup storage
Backups are crucial, but they must also be secured. Be sure to:
Use encrypted backups. Encrypt database backups to reduce the chance of unauthorized access.
Restrict backup access. Allow only authorized personnel to access, view, or restore backups.
Test restores. Regularly test backups to ensure they're complete and can be restored properly without any data integrity issues.
Disable unnecessary features
Reduce your attack surface by disabling unused features:
Remove unused extensions. Disable any extensions that aren't actively used.
Disable trust authentication. Ensure
trust
authentication isn't used in production as it allows users to log in without a password.Disable untrusted languages. Prevent the use of languages that allow arbitrary code execution, such as PL/Python.
Vulnerability scanning and penetration testing
Regularly scan for vulnerabilities. Use security scanners to find vulnerabilities.
Penetration resting. Test the security of your PostgreSQL instance. You may need to hire security professionals to test your database security periodically.
Network security controls
Strengthen PostgreSQL’s security by securing the network it operates in.
Set firewall rules. Restrict database access to necessary ports.
Limit network exposure. Use VPNs or internal networks for database access. Avoid exposing PostgreSQL directly to the internet.
Use intrusion detection. Use IDS tools to monitor for suspicious activity.
Regularly review user permissions
Develop a review cadence. Regularly review user and role permissions to ensure no unnecessary privileges were granted.
Remove unnecessary privileges. Periodically review and revoke unnecessary privileges. Remove access immediately when a user no longer needs it.
Secure OS and file permissions
PostgreSQL runs on an operating system that also needs to be secured.
Restrict file access. Ensure that only the PostgreSQL service user can access critical files such as the data directory and logs. Set restrictive permissions (700) on the data directory.
Harden the OS. Apply operating system hardening practices, including disabling unnecessary services and ensuring regular OS updates.
- On this page
- Install the latest version
- Use strong authentication methods
- Limit access with pg_hba.conf
- Enforce SSL/TLS connections
- Use role-based access control (RBAC)
- Use encrypted passwords
- Audit and monitor database activity
- Regular backups and secure backup storage
- Disable unnecessary features
- Vulnerability scanning and penetration testing
- Network security controls
- Regularly review user permissions
- Secure OS and file permissions
Could this page be better? Report a problem or suggest an addition!