From ab9212cefadc4727272caed7f4f9916d1140c118 Mon Sep 17 00:00:00 2001
From: hailin <hailin.zhao@gdzx.xyz>
Date: Sat, 14 Feb 2026 19:23:42 -0800
Subject: [PATCH] =?UTF-8?q?security:=20=E5=9F=BA=E7=A1=80=E8=AE=BE?=
 =?UTF-8?q?=E6=96=BD=E7=AB=AF=E5=8F=A3=E7=BB=91=E5=AE=9A=20127.0.0.1?=
 =?UTF-8?q?=EF=BC=8C=E5=B0=81=E5=A0=B5=E5=85=AC=E7=BD=91=E6=9A=B4=E9=9C=B2?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PostgreSQL(5432)、Redis(6379)、Debezium REST API(8084) 此前绑定
0.0.0.0，直接暴露在公网。安全审查发现 Debezium 已被注入 3 个恶意
connector（SSRF 攻击尝试读取 /etc/passwd），恶意 connector 已清除。

修改内容：
- PostgreSQL: 0.0.0.0:5432 → 127.0.0.1:5432
- Redis: 0.0.0.0:6379 → 127.0.0.1:6379
- Debezium: 0.0.0.0:8084 → 127.0.0.1:8084

deploy-mining.sh 通过 docker exec 和 localhost 访问，不受影响。

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 backend/services/docker-compose.2.0.yml | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/backend/services/docker-compose.2.0.yml b/backend/services/docker-compose.2.0.yml
index f943f117..ffd3fbe6 100644
--- a/backend/services/docker-compose.2.0.yml
+++ b/backend/services/docker-compose.2.0.yml
@@ -37,7 +37,9 @@ services:
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-rwa_secure_password}
       POSTGRES_MULTIPLE_DATABASES: rwa_contribution,rwa_mining,rwa_trading,rwa_mining_admin,rwa_auth,rwa_mining_wallet,rwa_mining_blockchain
     ports:
-      - "5432:5432"
+      # 安全加固: 仅绑定 127.0.0.1，禁止公网直连数据库
+      # deploy-mining.sh 通过 docker exec 访问，不受影响
+      - "127.0.0.1:5432:5432"
     volumes:
       - postgres_2_data:/var/lib/postgresql/data
       - ./init-multiple-dbs.sh:/docker-entrypoint-initdb.d/init-multiple-dbs.sh:ro
@@ -64,7 +66,9 @@ services:
       TZ: Asia/Shanghai
     command: redis-server --appendonly yes --databases 20
     ports:
-      - "6379:6379"
+      # 安全加固: 仅绑定 127.0.0.1，禁止公网直连 Redis
+      # Redis 无密码保护，暴露公网极易被利用
+      - "127.0.0.1:6379:6379"
     volumes:
       - redis_2_data:/data
     healthcheck:
@@ -84,7 +88,10 @@ services:
       postgres-2:
         condition: service_healthy
     ports:
-      - "8084:8083"
+      # 安全加固: 仅绑定 127.0.0.1，禁止公网访问 Debezium REST API
+      # 此前 0.0.0.0:8084 暴露公网，已被注入 3 个恶意 connector (SSRF 攻击读取 /etc/passwd)
+      # deploy-mining.sh 使用 http://localhost:8084 调用，绑定 127.0.0.1 后不受影响
+      - "127.0.0.1:8084:8083"
     environment:
       TZ: Asia/Shanghai
       GROUP_ID: debezium-connect-2