Information
By default, listen_addresses is set to localhost which prevents any and all remote TCP connections to the PostgreSQL port.
Some Docker images may set listen_addesses to *. * corresponds to all available IP interfaces; thus, the PostgreSQL server then accepts TCP connections on all the server's IPv6 and IPv4 interfaces. (The same is true for a setting of 0.0.0.0.)
You can make this configuration more restrictive by setting the listen_addresses configuration option to a specific list of IPv4 or IPv6 address so that the server only accepts TCP connections on those addresses.
This parameter can only be set at server start.
Rationale:
Limiting the IP addresses that PostgreSQL listens on provides additional restrictions on where client applications/users can connect from.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To have the PostgreSQL server only accept connections on a specific IP address, add an entry similar to this in the PostgreSQL configuration file postgresql.conf:
listen_addresses = '<your IP>'
To listen on multiple addresses, a comma-separated list may be used:
listen_addresses = '<your first IP>, <your second IP>'
In this case, clients can connect to the server using --host=<your IP>, while connections on other server host addresses are not possible.