Article directory
foreword
Database administration includes the ability to control the number of users and user sessions with PostgreSQL. Unlimited concurrent connections to PostgreSQL can allow a successful Denial of Service (DoS) attack by exhausting connection resources, and the system can also fail due to an overload of legitimate users. Therefore, limiting the number of concurrent sessions per user can help reduce these risks.
1. Check configuration
1. To check the total number of connections allowed by the database, please run the following SQL as a database administrator:
# 切换至postgres数据库
su - postgres
# 查看postgresql.conf配置的最大连接数
psql -c 'SHOW max_connections;'
2. To check the number of connections allowed for each role, run the following SQL as a database administrator:
# 切换至postgres数据库
su - postgres
# 查看pg_authid系统表信息
psql -c 'SELECT rolname, rolconnlimit from pg_authid'
There is a security risk if any role is configured with a connection count of -1 (unlimited).
Description of pg_authid system table fields:
oid:行标识符(隐藏属性; 必须明确选择)
rolname:角色名称
rolsuper:角色拥有超级用户权限
rolinherit:角色自动继承其所属角色的权限
rolcreaterole:角色可以创建更多角色
rolcreatedb:角色可以创建数据库
rolcatupdate:角色可以直接更新系统表。如果没有设置这个字段为真,即使超级用户也不能这么做。
rolcanlogin:角色可以登录,也就是说,这个角色可以给予会话认证标识符。
rolreplication:角色是一个复制的角色。
rolconnlimit:对于可以登录的角色,限制其最大并发连接数量。-1 表示没有限制。
rolpassword:口令(可能是加密的);如果没有则为 NULL。如果密码是加密的,该字段将以md5 字符串开始,后面跟着一个32字符的十六进制MD5哈希值。
rolvaliduntil:口令失效时间(只用于口令认证);如果没有失效期,则为 null。
2. Reinforcement suggestions
1. Cooperate with the appropriate maximum number of connections
To configure the maximum number of connections allowed to the database, as the database administrator (shown as "postgres" here), please change it in postgresql.conf, the following content (value 200 is an example; set the value to suit business needs):
# 切换至postgres数据库
su - postgres
# 膝盖配置文件
vi ${PGDATA?}/postgresql.conf
After modifying the configuration, you need to restart or reload the configuration file.
# 重启数据库
pg_ctl restart
# 重新加载配置文件
pg_ctl reload
2. Limit the maximum number of connections allowed by a role
To limit the number of connections allowed by a specific role, run the following SQL as a database administrator:
psql -c“ALTER ROLE <rolname> CONNECTION LIMIT 10”;
As shown in the figure below, the admin1 role (account) is modified to a maximum concurrency of 10.
Summarize
The ability to limit the number of concurrent sessions per user must be configured or added in PostgreSQL (e.g. by using login triggers). Note that it is not enough to restrict sessions by the web server or application server, as legitimate users and attackers may connect to PostgreSQL by other means.