14、Postgresql数据库加固

Categories:

• Wiki

  2 分钟阅读  

– 设置密码策略

ALTER USER postgres PASSWORD ‘your_password’;

ALTER USER postgres VALID UNTIL ’now’ + INTERVAL ‘90 days’;

– 设置登录限制和锁定

ALTER USER qwer CONNECTION LIMIT 0;

ALTER USER qazx CONNECTION LIMIT 0;

ALTER USER wsxc CONNECTION LIMIT 0;

ALTER USER qwer FAILED_LOGIN_ATTEMPTS 5 PASSWORD_LOCK_TIME ‘10min’;

ALTER USER qazx FAILED_LOGIN_ATTEMPTS 5 PASSWORD_LOCK_TIME ‘10min’;

ALTER USER wsxc FAILED_LOGIN_ATTEMPTS 5 PASSWORD_LOCK_TIME ‘10min’;

– 设置登录空闲超时

ALTER ROLE qwer SET idle_in_transaction_session_timeout = ‘30min’;

ALTER ROLE qazx SET idle_in_transaction_session_timeout = ‘30min’;

ALTER ROLE wsxc SET idle_in_transaction_session_timeout = ‘30min’;

– 建立三个账户并实现权限分离

CREATE USER qwer WITH PASSWORD ‘your_password’ SUPERUSER;

CREATE USER qazx WITH PASSWORD ‘your_password’ CREATEDB CREATEROLE;

CREATE USER wsxc WITH PASSWORD ‘your_password’;

– 删除无用的账户

DROP USER username;

– 禁止root远程登录

ALTER USER postgres CONNECTION LIMIT 0;

– 开启SSH，关闭Telnet

ALTER SYSTEM SET listen_addresses TO ’localhost’;

ALTER SYSTEM SET ssl = ‘on’;

– 关闭未使用的端口

ALTER SYSTEM SET port = 5432;

– 配置仅允许指定IP地址登录

UPDATE pg_hba_file SET address = ‘192.168.1.5/32’ WHERE user = ‘qwer’;

– 禁用指定端口

UPDATE pg_hba_file SET method = ‘reject’ WHERE port IN (134, 445, 139);

– 配置日志及远程监控

ALTER SYSTEM SET log_destination = ‘csvlog’;

ALTER SYSTEM SET logging_collector = ‘on’;

ALTER SYSTEM SET log_directory = ‘/var/log/postgresql’;

ALTER SYSTEM SET log_filename = ‘postgresql-%Y-%m-%d.log’;

ALTER SYSTEM SET log_statement = ‘all’;

ALTER SYSTEM SET log_connections = ‘on’;

ALTER SYSTEM SET log_disconnections = ‘on’;

ALTER SYSTEM SET log_line_prefix = ‘%t [%p]: [%l-1] user=%u,db=%d,app=%a,client=%h ‘;

ALTER SYSTEM SET log_lock_waits = ‘on’;

ALTER SYSTEM SET log_autovacuum_min_duration = ‘0’;

ALTER SYSTEM SET log_checkpoints = ‘on’;

SELECT pg_reload_conf();

– 定期备份配置文件

pg_dumpall -U postgres -h localhost -p 5432 -f /path/to/backup.sql