so basically if you are an idiot admin, and leave the postgresql box open (explicitly opening stuff), and under certian conditions, you can get DoS'd? hrm, this may not be your biggest problem.
maybe if the dba has a clue and only explicitly allows certian ips to even route to the box, and then certian users (1 or 2 or so) that is not available to the public (ie, internet), they would be better off. i would be that with the lazy/ignorant setup of the dba/admin, that a DoS of postgresql is not the biggest problem, sure one of their redhat boxes has gotten rooted already... there is nothing that is more important for security and databases than setting them up correctly, and their place on the network. the database is the crown jewel that should never been seen or touched except for when _absolutely_ needed, and that must be under heavy control. there is a bigger problem here than postgresql, it is the dumbass factor of people that try to run a db, and are vuln to anything... and then complain about it... i find this very annoying. know what you are doing, or stfu is my opinion -chris ps -> note this was not directed at any one person, but to the mass of people that never should run a db, and go back to eating paint chips. ----- disclaimer: i do not speak on behalf of devis (devis.com). i speak on my own behalf. ----- </rant-mode> Lamar Owen writes: > On Monday 26 August 2002 10:46 am, Sir Mordred The Traitor wrote: > > Conditions: entry in a pg_hba.conf file that matches attacker's host. > > Risk: average > > > --[ Solution > > > > Disable network access for untrusted users. > > TCP/IP access must be enabled as well. TCP/IP accessibility is OFF by > default. > > I for one thought that it was normal operating procedure to only allow access > to trusted machines; maybe I'm odd in that regard. > > Hey, if I can connect to postmaster I can DoS it quite easily, but flooding it > with connection requests..... > > But, if we can thwart this, all the better. > -- > Lamar Owen > WGCR Internet Radio > 1 Peter 4:11 > > ---------------------------(end of broadcast)--------------------------- > TIP 3: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to [EMAIL PROTECTED] so that your > message can get through to the mailing list cleanly -- Chris Humphries Development InfoStructure 540.366.9809 ---------------------------(end of broadcast)--------------------------- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])