Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable "CONNECTION_THROTTLING" Parameter for PostgreSQL Servers

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: PostgreSQL-006

Ensure that "connection_throttling" server parameter is enabled for all PostgreSQL database servers provisioned within your Microsoft Azure cloud account. The "connection_throttling" parameter enables temporary connection throttling per IP address for too many invalid login failures.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Enabling "connection_throttling" parameter helps generate logging data with respect to concurrent connections. This logging data can be used to discover PostgreSQL database servers that get degraded by an overload of legitimate users or identify Distributed Denial of Service (DDoS) attacks that work by exhausting the network resources.

Audit

To determine if "connection_throttling" parameter is enabled for your Azure PostgreSQL database servers, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Azure Database for PostgreSQL server to list only the PostgreSQL servers created in your Azure account.

04 Click on the name of the PostgreSQL database server that you want to examine.

05 In the navigation panel, under Settings, select Server parameters to access the configuration parameters available for the selected PostgreSQL server.

06 On Server parameters page, find the connection_throttling parameter using the Search to filter items search box. Once the parameter is found, check its configuration value, available within the VALUE column. If the parameter value is set to OFF, the "connection_throttling" server parameter is not enabled for the selected Azure PostgreSQL database server.

07 Repeat steps no. 4 – 6 for each PostgreSQL database server provisioned in the current Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure PowerShell

01 Run postgres server list command (Windows/macOS/Linux) using custom query filters to list the names of all PostgreSQL database servers (and the name of their associated resource groups) available in the current Azure cloud subscription: 

az postgres server list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return a table with requested PostgreSQL server information: 

Name                ResourceGroup
------------------  ------------------------------
cc-psql-db-server   cloud-shell-storage-westeurope

03 Run postgres server configuration show command (Windows/macOS/Linux) using the name of the Azure PostgreSQL server that you want to examine and its associated resource group as identifier parameters, and custom query filters, to obtain the "connection_throttling" parameter value for the selected database server: 

az postgres server configuration show
	--server-name "cc-psql-db-server"
	--resource-group "cloud-shell-storage-westeurope"
	--name connection_throttling
	--query 'value'

04 The command output should return the requested configuration value ("ON" for enabled, "OFF" for disabled): 

"OFF"

If postgres server configuration show command output returns "OFF", the "connection_throttling" server parameter is not enabled for the selected Azure PostgreSQL database server.

05 Repeat step no. 3 and 4 for each Microsoft Azure PostgreSQL server available in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To enable the "connection_throttling" server parameter for all your Microsoft Azure PostgreSQL database servers, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Azure Database for PostgreSQL server to list only the PostgreSQL servers provisioned in your Azure account.

04 Click on the name of the PostgreSQL server that you want to reconfigure (see Audit section part I to identify the right database server).

05 In the navigation panel, under Settings, select Server parameters to access the configuration parameters for the selected PostgreSQL database server.

06 On Server parameters page, find the connection_throttling parameter using the Search to filter items search box.

07 Once the connection_throttling server parameter is found, enable it by selecting ON from the toggle configuration button, available in the VALUE column.

08 Click Save to apply the configuration changes.

09 Repeat steps no. 4 – 8 for each PostgreSQL database server available within the selected subscription.

10 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run postgres server configuration set command (Windows/macOS/Linux) using the name of the PostgreSQL server that you want to reconfigure as identifier parameter (see Audit section part II to identify the right database resource) to enable "connection_throttling" parameter for the selected Microsoft Azure PostgreSQL database server: 

az postgres server configuration set
	--server-name "cc-psql-db-server"
	--resource-group "cloud-shell-storage-westeurope"
	--name connection_throttling
	--value on

02 The command output should return the metadata for the reconfigured server parameter: 

{
  "allowedValues": "on,off",
  "dataType": "Boolean",
  "defaultValue": "on",
  "description": "Enables temporary connection throttling per IP for too many invalid password login failures.",
  "id": "/subscriptions/abcd1234-abcd-1234-abcd-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DBforPostgreSQL/servers/cc-psql-db-server/configurations/connection_throttling",
  "name": "connection_throttling",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "source": "user-override",
  "type": "Microsoft.DBforPostgreSQL/servers/configurations",
  "value": "on"
}

03 Repeat step no. 1 and 2 for each PostgreSQL database server currently available in the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Jul 29, 2019

Related PostgreSQL rules