security: 基础设施端口绑定 127.0.0.1,封堵公网暴露
PostgreSQL(5432)、Redis(6379)、Debezium REST API(8084) 此前绑定 0.0.0.0,直接暴露在公网。安全审查发现 Debezium 已被注入 3 个恶意 connector(SSRF 攻击尝试读取 /etc/passwd),恶意 connector 已清除。 修改内容: - PostgreSQL: 0.0.0.0:5432 → 127.0.0.1:5432 - Redis: 0.0.0.0:6379 → 127.0.0.1:6379 - Debezium: 0.0.0.0:8084 → 127.0.0.1:8084 deploy-mining.sh 通过 docker exec 和 localhost 访问,不受影响。 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
d27f327f9c
commit
ab9212cefa
|
|
@ -37,7 +37,9 @@ services:
|
||||||
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-rwa_secure_password}
|
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-rwa_secure_password}
|
||||||
POSTGRES_MULTIPLE_DATABASES: rwa_contribution,rwa_mining,rwa_trading,rwa_mining_admin,rwa_auth,rwa_mining_wallet,rwa_mining_blockchain
|
POSTGRES_MULTIPLE_DATABASES: rwa_contribution,rwa_mining,rwa_trading,rwa_mining_admin,rwa_auth,rwa_mining_wallet,rwa_mining_blockchain
|
||||||
ports:
|
ports:
|
||||||
- "5432:5432"
|
# 安全加固: 仅绑定 127.0.0.1,禁止公网直连数据库
|
||||||
|
# deploy-mining.sh 通过 docker exec 访问,不受影响
|
||||||
|
- "127.0.0.1:5432:5432"
|
||||||
volumes:
|
volumes:
|
||||||
- postgres_2_data:/var/lib/postgresql/data
|
- postgres_2_data:/var/lib/postgresql/data
|
||||||
- ./init-multiple-dbs.sh:/docker-entrypoint-initdb.d/init-multiple-dbs.sh:ro
|
- ./init-multiple-dbs.sh:/docker-entrypoint-initdb.d/init-multiple-dbs.sh:ro
|
||||||
|
|
@ -64,7 +66,9 @@ services:
|
||||||
TZ: Asia/Shanghai
|
TZ: Asia/Shanghai
|
||||||
command: redis-server --appendonly yes --databases 20
|
command: redis-server --appendonly yes --databases 20
|
||||||
ports:
|
ports:
|
||||||
- "6379:6379"
|
# 安全加固: 仅绑定 127.0.0.1,禁止公网直连 Redis
|
||||||
|
# Redis 无密码保护,暴露公网极易被利用
|
||||||
|
- "127.0.0.1:6379:6379"
|
||||||
volumes:
|
volumes:
|
||||||
- redis_2_data:/data
|
- redis_2_data:/data
|
||||||
healthcheck:
|
healthcheck:
|
||||||
|
|
@ -84,7 +88,10 @@ services:
|
||||||
postgres-2:
|
postgres-2:
|
||||||
condition: service_healthy
|
condition: service_healthy
|
||||||
ports:
|
ports:
|
||||||
- "8084:8083"
|
# 安全加固: 仅绑定 127.0.0.1,禁止公网访问 Debezium REST API
|
||||||
|
# 此前 0.0.0.0:8084 暴露公网,已被注入 3 个恶意 connector (SSRF 攻击读取 /etc/passwd)
|
||||||
|
# deploy-mining.sh 使用 http://localhost:8084 调用,绑定 127.0.0.1 后不受影响
|
||||||
|
- "127.0.0.1:8084:8083"
|
||||||
environment:
|
environment:
|
||||||
TZ: Asia/Shanghai
|
TZ: Asia/Shanghai
|
||||||
GROUP_ID: debezium-connect-2
|
GROUP_ID: debezium-connect-2
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue