diff --git a/backend/services/docker-compose.2.0.yml b/backend/services/docker-compose.2.0.yml
index f943f117..ffd3fbe6 100644
--- a/backend/services/docker-compose.2.0.yml
+++ b/backend/services/docker-compose.2.0.yml
@@ -37,7 +37,9 @@ services:
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-rwa_secure_password}
       POSTGRES_MULTIPLE_DATABASES: rwa_contribution,rwa_mining,rwa_trading,rwa_mining_admin,rwa_auth,rwa_mining_wallet,rwa_mining_blockchain
     ports:
-      - "5432:5432"
+      # 安全加固: 仅绑定 127.0.0.1，禁止公网直连数据库
+      # deploy-mining.sh 通过 docker exec 访问，不受影响
+      - "127.0.0.1:5432:5432"
     volumes:
       - postgres_2_data:/var/lib/postgresql/data
       - ./init-multiple-dbs.sh:/docker-entrypoint-initdb.d/init-multiple-dbs.sh:ro
@@ -64,7 +66,9 @@ services:
       TZ: Asia/Shanghai
     command: redis-server --appendonly yes --databases 20
     ports:
-      - "6379:6379"
+      # 安全加固: 仅绑定 127.0.0.1，禁止公网直连 Redis
+      # Redis 无密码保护，暴露公网极易被利用
+      - "127.0.0.1:6379:6379"
     volumes:
       - redis_2_data:/data
     healthcheck:
@@ -84,7 +88,10 @@ services:
       postgres-2:
         condition: service_healthy
     ports:
-      - "8084:8083"
+      # 安全加固: 仅绑定 127.0.0.1，禁止公网访问 Debezium REST API
+      # 此前 0.0.0.0:8084 暴露公网，已被注入 3 个恶意 connector (SSRF 攻击读取 /etc/passwd)
+      # deploy-mining.sh 使用 http://localhost:8084 调用，绑定 127.0.0.1 后不受影响
+      - "127.0.0.1:8084:8083"
     environment:
       TZ: Asia/Shanghai
       GROUP_ID: debezium-connect-2