3

I'm setting up a server, with postgresql running as a service. I can use nmap to get current postgresql version

 nmap -p 5432 -sV [IP]

It returns:

PORT     STATE SERVICE    VERSION
5432/tcp open  postgresql PostgreSQL DB 9.3.1

Is there a way to hide the postgresql version from nmap scanning? I've searched but it's all about hiding the OS detection.

Thank you.

Daniel
  • 840
  • 1
  • 8
  • 9

2 Answers2

4

There's only one answer here: Firewall it.

If you have your Postgres port open, you will be probed. If you can be probed, your service can be disrupted. Most databases are not intended to be open like this to public, they're not hardened against denial-of-service attacks.

Maintain a very narrow white-list of IPs that are allowed to connect to it, and whenever possible use a VPN or an SSH tunnel to connect to Postgres instead of doing it directly. This has the additional advantage of encrypting all your traffic that would otherwise be plain-text.

tadman
  • 208,517
  • 23
  • 234
  • 262
  • 1
    @OkieOth Hopefully an educational exercise. Like any tool `nmap` is very useful in the right hands and very dangerous in the wrong ones. – tadman May 16 '17 at 19:59
4

You have a few options, but first understand how Nmap does it: PostgreSQL database server responds to a malformed handshake with an error message containing the line number in the source code where the error occurred. Nmap has a list of possible PostgreSQL versions and the line number where the error happens in that particular version. The source file in question changes frequently enough that Nmap can usually tell the exact version in use, or at least a range of 2 or 3 version numbers.

So what options do you have?

  1. Do nothing. Why does it matter if someone can tell what version of PostgreSQL you are running? Keep it up to date and implement proper security controls elsewhere and you have nothing to worry about.

  2. Restrict access. Use a firewall to limit access to the database system to only trusted hosts. Configure PostgreSQL to listen only on localhost if network communication is not required. Isolate the system so that unauthorized users can't even talk to it.

  3. Patch the source and rebuild. Change PostgreSQL so that it does not return the source line where the error happened. Or just add a few hundred blank lines to the top of postmaster.c so Nmap's standard fingerprints can't match. But realize you'll have to do this every time there's a new version or security patch.

bonsaiviking
  • 5,825
  • 1
  • 20
  • 35