5.2 Ensure PostgreSQL is Bound to an IP Address

Information

By default, listen_addresses is set to localhost which prevents any and all remote TCP connections to the PostgreSQL port.
Some Docker images may set listen_addesses to *. * corresponds to all available IP interfaces; thus, the PostgreSQL server then accepts TCP connections on all the server's IPv6 and IPv4 interfaces. (The same is true for a setting of 0.0.0.0.)
You can make this configuration more restrictive by setting the listen_addresses configuration option to a specific list of IPv4 or IPv6 address so that the server only accepts TCP connections on those addresses.
This parameter can only be set at server start.
Rationale:
Limiting the IP addresses that PostgreSQL listens on provides additional restrictions on where client applications/users can connect from.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To have the PostgreSQL server only accept connections on a specific IP address, add an entry similar to this in the PostgreSQL configuration file postgresql.conf:
listen_addresses = '<your IP>'
To listen on multiple addresses, a comma-separated list may be used:
listen_addresses = '<your first IP>, <your second IP>'
In this case, clients can connect to the server using --host=<your IP>, while connections on other server host addresses are not possible.

See Also

https://workbench.cisecurity.org/benchmarks/17004

Item Details

Category: PLANNING, SYSTEM AND SERVICES ACQUISITION

References: 800-53|PL-8, 800-53|SA-8

Plugin: PostgreSQLDB

Control ID: 048a9ab913c2ca20d54f558e7c47800195c6868797cfbe507b40b81a6a0629a8