One interesting topic worth exploring - though Ive never implemented this myself - is a firewall technique called port knocking. The idea is your app attempts to connect on a set sequence of ports, and if dont in a specified period of time, the firewall opens up the database port for your ip address only, and closes up again once you disconnect.
Its an interesting technique in theory, but it has its drawbacks. If youre using a database manager, it wont be able to connect, whereas an SSH tunnel or VPN would. And Im not well-versed in other security implications with the technique.
So Im not advocating for this technique. Its not the one I use myself. But I do like the theory of it.
If you must expose the port (never a good idea under any circumstance) always use two-factor authentication. Even if the password is compromised, without the second approval the connection is never completed. Take a look at LoginTC.
It’s another form of password check, with the ‘knocked’ ports representing set bits. Problem is it’s a password that can potentially be recovered from network snooping, so not much better than sending a password in clear text.
I wouldnt completely agree with that statement. Although certainly not a replacement for VPN, MFA and other enterprise-class security controls, port knocking does add a layer of defense to an otherwise insecure connection. A lot of open services are discovered by port scanning and enabling port knocking does make that sort of attack useless if the subsequent knocks have a low delay timeout. In any case, having a layered approach to security such as requiring encrypted passwords, enabling port knocking and enforcing IP banning will go a long way towards keep the bad guys out.
Of course, the best defense is to not expose your services publicly in the first place but if you absolutely must do it then my suggestion is to implement the strongest controls your budget allows. Just make sure to always have at least two, if not more, deterrents protecting your ingress points.
It is a very optimistic assumption that a user will have a unique IP. How many employees are concealed behind a nationwide or international corporate gateway? How does it look like with mobile carriers, that operate their IPv6 devices behind an IPv4 proxy? A server would be open to all mobile telephone subscribers at once.
Using custom certificate/keys to authenticate SSH terminals/tunnels, you can disable passwords.
When I implemented that, I still ended up with logs full of password attacks, sometimes several thousand a day.
Looking for a way to reduce so many (useless) log entries, a few years ago I started using an off-standard port for internet exposed SSH tunnel endpoints, calculated from the date, and changing daily. You need to be able to reconfigure SSH on both sides to calculate and change the SSH server ports via cron or other task scheduler.
My script to backup the databases via RSync tries the ‘yesterday’ and ‘today’ ports to allow for clock timing differences where the other side hasn’t moved the port yet.
Since then, the login ‘failure’ attack reports on all systems dropped to almost zero.
As @Norman Palardy noted, sometimes a lucky attacker finds ‘todays’ port and attempts to log in.
Since passwords are disabled, it’s just more lines of ‘login failures’.
Thanks guys. That’s a lot of useful information. I’ve done a lot of research the last few days.
This comment troubles me a bit. I deleted all the hacked databases and created new databases using the backups I had saved. Now I’m wondering how I could tell if there are any more issues. Are you saying I should uninstall Postgres and reinstall? Or perhaps a total reinstall of windows?
[quote=439648:@Neil Burkholder]Thanks guys. That’s a lot of useful information. I’ve done a lot of research the last few days.
This comment troubles me a bit. I deleted all the hacked databases and created new databases using the backups I had saved. Now I’m wondering how I could tell if there are any more issues. Are you saying I should uninstall Postgres and reinstall? Or perhaps a total reinstall of windows?[/quote]
The machine should be at least wiped. You cant tell if they installed a keylogger or other nefarious software.
To be completely honest, if someone had access to the machine, they could have even modified the bios. If you were my customer, my recommendation would be to flash the bios and start over from scratch, or even better, replace the machine altogether. Your business-continuation insurance should cover things like this.
By having full access to the PosgreSQL database server, does that mean they had access to the machine? To be clear, I had the port 5432 forwarded so it was publicly accessible. So the hacker connected to the db as an admin user, with full access to all the databases on the server.
… and with full access to the DB somebody could implant a reverse shell and execute it at least as db user.
As Greg said, forget the host and whole subnet. Restore from backup and enforce Security by Design and Default.
But they also introduce additional risk thanks to the processor exploits which keep appearing and which range from difficult to impossible to mitigate.
[quote=439627:@Tomas Jakobs]It is a very optimistic assumption that a user will have a unique IP. How many employees are concealed behind a nationwide or international corporate gateway? How does it look like with mobile carriers, that operate their IPv6 devices behind an IPv4 proxy? A server would be open to all mobile telephone subscribers at once.
Sorry for being rude, but the concept is junk![/quote]
Dont get me wrong, Im not advocating for it. Theres a reason nothing supports it. The same reason I chose not to use it. Its just not good enough.
But its not a large attack surface for somebody to have the same address AND attempt to connect at just the right time. The firewall should allow a single connection, then close off again, retaining the established connection. So its not like youd be exposed to the whole network while one person is connected.
Its not a terrible concept, but there are better options out there. Much better. It would take much less time to learn how to setup an SSH tunnel than it would to learn how to code the firewall accordingly, AND be more secure as a result. Theres no reason to select port knocking instead of SSH or a VPN.
[quote=439627:@Tomas Jakobs]It is a very optimistic assumption that a user will have a unique IP. How many employees are concealed behind a nationwide or international corporate gateway? How does it look like with mobile carriers, that operate their IPv6 devices behind an IPv4 proxy? A server would be open to all mobile telephone subscribers at once.
Sorry for being rude, but the concept is junk![/quote]
What does any of what I said have to do with whether or not a user is behind a NAT or shared IP??? I’m speaking about protecting the server from external attacks which will almost certainly have a static IP or, at a minimum, ports forwarded to it. Where the client is located is absolutely irrelevant to this discussion.
I wonder if restoring to a recent restore point would be safe? (Windows 10). I hate to think of the work it would take to do a total wipe, need to re-install everything.
Um … no
At the very least wipe the machine as you cant be 100% sure that the hacker has not used a compromise to gain full access to the machine & install something else like Greg said
