Article directory
foreword
Database sessions can be reused in "replay" attacks, and session IDs address man-in-the-middle attacks, including session hijacking or inserting wrong information into a session. If attackers cannot identify or guess session information associated with pending application traffic, it will be more difficult for them to hijack sessions or otherwise manipulate valid sessions.
1. Check configuration
As the database administrator (shown here as "postgres"), run the following SQL:
# 切换用户
su - postgres
# 查看tcp_keepalives_idle配置
psql -c "SHOW tcp_keepalives_idle"
# 查看tcp_keepalives_interval配置
psql -c "SHOW tcp_keepalives_interval"
# 查看tcp_keepalives_count配置
psql -c "SHOW tcp_keepalives_count"
The default value of these parameters is 0, if these parameters are not set, there is a security risk.
2. Reinforcement suggestions
As the database administrator (shown here as "postgres"), edit postgresql.conf:
# 切换postgres用户
su - postgres
# 编辑postgresql.conf配置文件,$PGDATA为环境变量
vi $PGDATA/postgresql.conf
Set the following parameters in the postgresql.conf file to:
tcp_keepalives_idle = 60 # seconds
tcp_keepalives_interval = 10 # seconds
tcp_keepalives_count = 10
Now, as sysadmin, restart the server with the new configuration:
$ pg_ctl reload
Summarize
When a user logs off or any other session termination event occurs, PostgreSQL must terminate the user session to minimize the possibility of session hijacking.