Search Postgresql Archives

Re: How to deny access to Postgres when connected from host/non-local

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks, works.

Sent from my iPhone

> On Apr 3, 2021, at 11:02, Joe Conway <mail@xxxxxxxxxxxxx> wrote:
> 
> On 4/2/21 7:06 PM, A. Reichstadt wrote:
>> Hello,
>> I try to deny access to all databases on my server if the user “postgres" tries to connect from a non-local host. Here is what I did in pg_hba.conf:
>> # TYPE  DATABASE        USER            ADDRESS                 METHOD
>> # "local" is for Unix domain socket connections only
>> local   all             all                                     md5
>> # IPv4 local connections:
>> host    all             all             127.0.0.1/32            md5
>> # IPv6 local connections:
>> host    all             all             ::1/128                 md5
>> # Allow replication connections from localhost, by a user with the
>> # replication privilege.
>> local   replication     all                                     md5
>> host    replication     all             127.0.0.1/32            md5
>> host    replication     all             ::1/128                 md5
>> host    all             all             0.0.0.0/0               md5
>> local   all             postgres                                trust
>> host    all             postgres        0.0.0.0/0               reject
>> But it continues to allow for Postgres to connect from anywhere through PGAdmin but also as a direct connection to port 5432. I also relaunched the server. This is version 12.
>> What else do I have to do?
>> Thanks for any help.
> 
> See:
> https://www.postgresql.org/docs/13/auth-pg-hba-conf.html
> 
> In particular:
> 
>  "Each record specifies a connection type, a client IP
>   address range (if relevant for the connection type),
>   a database name, a user name, and the authentication
>   method to be used for connections matching these
>   parameters. The first record with a matching
>   connection type, client address, requested database,
>   and user name is used to perform authentication."
> 
> So your reject line is never being reached.
> 
> HTH,
> 
> Joe
> 
> -- 
> Crunchy Data - http://crunchydata.com
> PostgreSQL Support for Secure Enterprises
> Consulting, Training, & Open Source Development






[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux