Possible someone trying to hack my RDS?

Question

Hi there,

I notices the following log entries in my RDS log file. The same number of lines keep repeating for the past few hours.

```
2023-04-20 18:53:09 UTC:18.138.51.113(59416):postgres@postgres:[30181]:FATAL: password authentication failed for user "postgres"
2023-04-20 18:53:09 UTC:18.138.51.113(59416):postgres@postgres:[30181]:DETAIL: Role "postgres" does not exist.
Connection matched pg_hba.conf line 13: "host all all all md5"
```

My RDS instance does not have a *postgres* user and the IP (18.138.51.113) that's trying to connect to my RDS instance looks like it is from Amazon Data centers in Singapore. I do not have any instance there.

Is this a sign of someone trying to gain access to my RDS instance?

Regards,
Foong

Othnajid · Answer

The default PostgreSQL user is postgres for most systems, I would check first if the RDS DB is publicly accessible, if yes it is going to be your responsibility under shared responsibility model : https://aws.amazon.com/compliance/shared-responsibility-model/.

As a security best practice, RDS should only be exposed internally via its VPC and security group only to the instances that need to communicate with the database. Unless there is a specific business requirement, RDS instances should not have a public endpoint and should be accessed from within a VPC only.
For more information about RDS Postgres security best practices : https://aws.amazon.com/blogs/database/overview-of-security-best-practices-for-amazon-rds-for-postgresql-and-amazon-aurora-postgresql-compatible-edition/

Possible someone trying to hack my RDS?

Add your answer

Relevant content