Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Open port 5432: PostgreSQL

Author: Government Digital Service

Open port 5432: PostgreSQL

What this means

By default, PostgreSQL Server communicates over TCP port 5432 and when these ports are left accessible to the internet, it creates the possibility of a direct connection to the database engine that an attacker may exploit.

Why this is a problem

PostgreSQL server is a complex application that contains additional features to the main Database engine such as reporting and integration services along with email functionality.

By providing access to SQL on the default port from an untrusted network can allow several vulnerabilities and weaknesses to be exposed.

Combined with misconfiguration and default settings such as using port 5432 can cause the following:

  • unauthorised access where attackers can attempt brute-force attacks to gain access to the database
  • SQL Injection attacks if the server is not properly configured, malicious SQL queries can be injected, potentially exposing or modifying sensitive data
  • data exfiltration where attackers who gain access can extract sensitive business or personal data
  • Denial of Service (DoS) attacks where attackers can overwhelm the server with excessive connection requests, making it unresponsive
  • ransomware and malware injection where open SQL ports can be exploited to install malicious software, encrypting data or causing system disruptions

How to check if the problem is there

There are several methods to identify open SQL ports, depending on the method you use. 

Check from an external Windows based device

You can use either Telnet via Command Prompt or PowerShell to check.

Open Command Prompt and run:

telnet <your service ip> 5432

If the port is open then a connection will be attempted to SQL.

Open PowerShell and run:

test-netconnection <your service ip> -port 5432

If the port is open then a connection will be attempted to SQL.

Check using Nmap

nmap -p 5432 <your service ip>

How to fix this

Restrict network access

Restrict network access by carrying out the following:

  • configure firewall rules to allow connections only from trusted IP addresses
  • disable or uninstall services if not required

Enable authentication and encryption

Use authentication for PostgreSQL services.

Regularly monitor logs

Regularly monitor your event logs and consider:

  • using SIEM tools to detect anomalies
  • deploying Intrusion Detection Systems (IDS)

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now