Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warn users that PostgreSQL should not be exposed to Internet #1037

Closed
yanokwa opened this issue May 25, 2019 · 2 comments
Closed

Warn users that PostgreSQL should not be exposed to Internet #1037

yanokwa opened this issue May 25, 2019 · 2 comments

Comments

@yanokwa
Copy link
Member

yanokwa commented May 25, 2019
edited

See https://forum.opendatakit.org/t/aggregate-data-loss-on-digital-ocean-droplet/19940 for the post that inspired this issue. In lieu of the warning, we can also try auto-generating a secure password for the PostgreSQL DB. What do you think, @ggalmazor?

Related: https://forum.opendatakit.org/t/change-the-password-aggregate-uses-to-connect-to-postgres/19770
@scampus77
Copy link

Hi, as @ggalmazor suggested, below you can read the DigitalOcean team reply concerning the topic on https://forum.opendatakit.org/t/aggregate-data-loss-on-digital-ocean-droplet/19940
Thanks

Hey there,
Unfortunately there isn't much we can do to directly recover the data removed by the attacker; I personally recommend against paying any kind of fee to get it back as the attacker often times simply won't restore anything after being paid.

If you have an external backup I recommend utilizing that to restore any data possible.
With regards to security for the future to help avoid this type of issue you can check out Postgres documentation here: https://www.postgresql.org/docs/7.0/security.htm and this blog post here which I found nice looking: https://severalnines.com/blog/how-secure-your-postgresql-database-10-tips (this is a 3rd party blog post, I haven't run through everything so take it with a grain of salt).

I wish there was more we could do in this instance to help you restore this data; the above should help avoid future situations like this.

You could instead look into utilizing our Managed Database service with Postgres as your DB Engine. We offer some cool security features by default like "Trusted Sources" which can limit access to your cluster to specific IPs/resources on DO: https://www.digitalocean.com/docs/databases/how-to/clusters/secure-clusters/

If you have any other questions or need anything else, just write back in and let us know! Thank you for being a DigitalOcean customer, we are here to assist you
Regards

@yanokwa
Copy link
Member Author

yanokwa commented Feb 7, 2022

Aggregate has reached end-of-life so we aren't updating any docs related to it.

@yanokwa yanokwa closed this as completed Feb 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yanokwa @scampus77