OT: Open Port to PostGreSQL -- Security issues?

[Sivakatirswami]

Aloha,

I hope all you had fun at the conference. Andre is here with us on 
Kauai. I'm taking good care of him. What a brain! Day off here so he's 
off kayaking...then tomorrow we are all off for a trip to the dry side: 
Salt Pond, then up the  mountain to Kokee and Kalalau Valley look out 
and then back down to Poipu for body surfing before we get back to 
coding on Wednesday...

Meanwhile we are setting up a new server. 1 Terrabyte of hard drive 
space We upgraded to CentOS5.1  and  we switched to a new control panel 
called VirtualMin. Andre has installed 2.9 and we are in the middle of 
migrating all our content to the new box. Andre tweaking CGI's, 
consolidating all the Rev web stack libraries into one location (we  use 
Revolution for *everything* on our box) and getting our Credit card 
processor  (monetra) working. We should get thru this tedious stuff in a 
few days and get into some fun Rev apps next week

OK my question is: how serious a security risk is opening a port to 
PostGreSQL (or MySQL) for remote transactions. Andre has done great work 
building CGI and  we use POST to do queries and the CGI talks to the 
dBase. But that's really "hard work" for some things... Now that I  have 
Plesk out of the way, I can set up users and access without breaking 
anything (Plesk previously broke access control and i couldn't fix it) 
and with the 2.9 upgrades to the dBase toolbox I'm "itching"  to create 
some desktop clients to work with databases on the server.   But I'm 
interested in everyones opinions and insights on "gotcha's" when 
allowing PostGreSQL port to be open... I know it will get flagged by our 
PCI (Payment Card Industry) audits but if I keep the other risk factors 
low enough I might get by with an open port...

What kind of "bad" things can happen? is a remote login sending the 
PostGreSQL user and password in clear text? Can anyone sniff that?

Cheers from Kauai where the "vog" from the volcano on the big island 
actually shuts out the sun on some days... eerie...

Sivakatirswami

PS: and Way Off Topic:

If any of you run a dedicated server and wear a webserver admin hat 
(Like I do) and are "fed up" with Plesk, Ensim, Cpanel (it doesn't take 
long to start banging your head if you use any of those).. then don't 
walk but RUN to get VirtualMin... It's a wrapper for WebMin and the GUI  
sets up a  non-proprietery, standard structured Linux web server. (e.g. 
all your virtual domains are just users in /home, which makes so much 
sense)  and btw you can migrate your Plesk or Cpanel sites with "press 
of a button".

The command line junkies on your team can fiddle with httpd.conf and 
IpTables and create dbases under the hood and all this is neatly 
reflected in the VirtualMin control panel. It's got about ten time the 
features and controls for both your web sites and the server admin than 
Plesk had. PostGreSQL (and all kinds of other open source tools) are 
installed automatically and there is no charge for these modules) and 
you get a rich interface for handling all the dBases from the GUI if  
you want, while your terminal wizards can work on the command line. In 
Plesk, you can't move left or right or you break something...

And, the team behind VirtualMin actually provides *real* support! (I 
mean within minutes or hours at the latest)</end New Cool Software advocacy>