VBR on PostgreSQL: tuning/hardening of the new DB?

[tinto1970]

Good day, first of all I find a great enhancement the availability of an open source non limited and robust DB like PostgreS to host Veeam Enteprise Manager and Backup&Replication application.

I tried to install both on my pc/personal lab and it worked very fine and easy. But my knowledge and experience with PostgreS are really poor.
I installed an SQL tool (HeidiSQL) on the same machine where VBR and PostgreS run, and I have seen I can login as user "postgres" (no password) and browse the database.

I've been searching for more infos about the potential need to perform further configurations (tuning? hardening?) after running the install wizard, but honestly I did not find anything. I.e. the "bestpractices site" still mention Microsoft SQL only
https://bp.veeam.com/vbr/2_Design_Struc ... abase.html

Do I miss something? Should I don't worry about that? Something is going to arrive soon to assist Veeam admins in the adoption of PostgreSQL?

Thanks in advance for any help/contribution

[Mildur]

Hi Alessandro

A sizing guide is prepared on our side, but I cannot provide any ETA.
The Best Practice guide will be normally updated a few months after a new release from our solution architects. But also no promises on any ETA here.

For security purposes on All-In-One servers, make sure that you only allow PostgreSQL connections from localhost. Which should be the default: "C:\Program Files\PostgreSQL\15\data\pg_hba.conf".
Just consider the general security best practice for the entire VBR server. You must protect him from unauthorized access. If you only allow Veeam Console connections to the backup server (use a Firewall), nobody can interfere with the PostgreSQL server over network.

If you migrate to a PostgreSQL server after the upgrade to V12, you need to run a PowerShell command to optimize hardware resources for the PostgreSQL instance which is used for the configuration database. If you install a new v12 backup server, this command is run by the installation process:
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Best,
Fabian

[ifi-deda]

Hello.

I have found this post because I'm worried about PostgreSQL security too (and I'm not expert about PostgreSQL at all).
I guess that you could log into the local PostgreSQL db (resulting from a default installation on a Veeam B&R machine) without entering a password for the user postgres because this user is mapped to the Windows user that performed the installation, the same you are logged on. I have found the file C:\Program Files\PostgreSQL\15\data\pg_ident.conf where the user mapping is configured.
As I could understand you can successfully log to the PostgreSQL instance entering any random password for the postgres user, because you are logged into Windows with a user already mapped to the PostgreSQL insternal admin called postgres. So I'm not sure, and I hope it is not the case, that Veeam installs PostgreSQL with a blank password for the user postgres.

I have also seen that the default PostgreSQL installation is configured to listen only to connections from localhost (see C:\Program Files\PostgreSQL\15\data\postgresql.conf listen_addresses entry).

But I hope that someone at Veeam could confirm all and assure us that:

1. The default PostgreSQL installation performed by Veeam does not leave the postgres user with a blank password
2. The default PostgreSQL installation does not allow remote network connections
3. In short, that the default PostgreSQL installation is secure

Thanks