Follow

Restrict Outside Access to Stratusphere Database

Product: Stratusphere FIT/UX

Product Version: 5.x and higher

Expires on: 365 days from publish date

Updated: Sep 27, 2018

 

Problem: Database accounts need to locked down so that they are only accessible from Hub and Database

Possible Resolution(s):  Edit the pg_hba.conf file to limit Postgres accounts' access to local only on HUB, and from HUB/local only on the DB

On HUB- Backup pg_hba.conf file. Change DB account access to be allowed from anywhere to  locally only.  Verify the changes and restart postgres service.  You should see the the following changes in pg_hba.conf: 0/0 change to 127.0.0.1/32 and ::/0 change to ::1/128

cp /var/lib/pgsql/current/data/pg_hba.conf /var/lib/pgsql/current/data/pg_hba.conf.backup

sed -i -e 's/0\/0/127.0.0.1\/32/' -e 's/::\/0/::1\/128/' /var/lib/pgsql/current/data/pg_hba.conf

cat /var/lib/pgsql/current/data/pg_hba.conf

#start TNT acl
hostssl all reports 127.0.0.1/32 md5
hostssl all reports ::1/128 md5
host all vcops 127.0.0.1/32 md5
host all vcops ::1/128 md5
hostssl all query 127.0.0.1/32 md5
hostssl all query ::1/128 md5
hostssl all lwl_sync 127.0.0.1/32 md5
hostssl all lwl_sync ::1/128 md5
#end TNT acl
local all postgres ident
host all all 127.0.0.1 255.255.255.255 md5
hostssl all all 127.0.0.1 255.255.255.255 md5
local all all md5

 /etc/init.d/postgresql-<TAB> restart

 

On DB- Backup pg_hba.conf file. Change DB account access to be allowed from anywhere to  locally or from hub only.  Verify the changes and restart postgres service.  You should see the the following changes in pg_hba.conf: 0/0 change to HUBIPADDRESS/32 and ::/0 change to ::1/128 (Use your actual hub IP address in place of HUBIPADDRESS in the sed command)

cp /var/lib/pgsql/current/data/pg_hba.conf /var/lib/pgsql/current/data/pg_hba.conf.backup

sed -i -e 's/0\/0/HUBIPADDRESS\/32/' -e 's/::\/0/::1\/128/' /var/lib/pgsql/current/data/pg_hba.conf

cat /var/lib/pgsql/current/data/pg_hba.conf

#NOTE- FOR THIS EXAMPLE THE HUB IP IS 10.0.61.12
...


...

# Allow replication connections from localhost, by a user with the
# replication privilege.
#local replication postgres trust
#host replication postgres 127.0.0.1/32 trust
#host replication postgres ::1/128 trust
hostssl portal impadmin 10.0.61.12/32 md5
hostssl all impadminsu 10.0.61.12/32 md5
hostssl all reports 0/0 md5
host all vcops 0/0 md5
hostssl all query 0/0 md5
hostssl all reports ::/0 md5
host all vcops ::/0 md5
hostssl all query ::/0 md5
hostssl all lwl_sync 127.0.0.1/32 md5

/etc/init.d/postgresql-<TAB> restart

 

 

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.