了解访问我的 postgress 数据库的尝试

tag-icon tag-icon security postgres-8.4
了解访问我的 postgress 数据库的尝试

我有一个网站,它由一组 Docker 容器组成,其中一个容器是 Postgres 数据库,我不得不承认,我对这些东西没有太多经验。当我查看日志时,我看到了多次猜测我密码的尝试:

 | 2020-11-17 15:08:33.958 UTC [25042] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:33.958 UTC [25042] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:34.567 UTC [25043] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:34.567 UTC [25043] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:35.183 UTC [25044] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:35.183 UTC [25044] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:35.797 UTC [25045] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:35.797 UTC [25045] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:36.417 UTC [25046] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:36.417 UTC [25046] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:37.038 UTC [25047] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:37.038 UTC [25047] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:37.660 UTC [25048] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:37.660 UTC [25048] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:38.268 UTC [25049] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:38.268 UTC [25049] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:38.895 UTC [25050] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:41.996 UTC [25056] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:42.612 UTC [25057] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:42.612 UTC [25057] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:43.226 UTC [25058] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:43.226 UTC [25058] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:43.838 UTC [25059] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:43.838 UTC [25059] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:44.455 UTC [25060] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:44.455 UTC [25060] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:45.074 UTC [25061] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:45.074 UTC [25061] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:45.682 UTC [25062] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:45.682 UTC [25062] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:46.311 UTC [25063] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:46.311 UTC [25063] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:46.937 UTC [25064] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:46.937 UTC [25064] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:47.554 UTC [25065] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:47.554 UTC [25065] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:48.175 UTC [25066] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:48.175 UTC [25066] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:48.791 UTC [25067] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:48.791 UTC [25067] DETAIL:  Role "postgres" does not exist.

 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-18 01:15:50.075 UTC [28278] FATAL:  password authentication failed for user "postgres"
 | 2020-11-18 01:15:50.075 UTC [28278] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-18 01:16:23.054 UTC [28280] FATAL:  password authentication failed for user "postgres"
 | 2020-11-18 01:16:23.054 UTC [28280] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-18 01:16:23.800 UTC [28281] FATAL:  password authentication failed for user "postgres"
 | 2020-11-18 01:16:23.800 UTC [28281] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-18 03:24:13.696 UTC [28537] LOG:  could not receive data from client: Connection reset by peer
 | 2020-11-18 06:29:43.520 UTC [28910] FATAL:  unsupported frontend protocol 0.0: server supports 2.0 to 3.0
 | 2020-11-18 06:29:43.707 UTC [28911] FATAL:  unsupported frontend protocol 255.255: server supports 2.0 to 3.0
 | 2020-11-18 06:29:43.891 UTC [28912] FATAL:  no PostgreSQL user name specified in startup packet
 | 2020-11-18 11:38:43.544 UTC [29529] FATAL:  unsupported frontend protocol 65363.19778: server supports 2.0 to 3.0

还有更多类似的内容。我试图了解这里发生了什么;我认为只有以下端口(不包括 postgres 端口)对我的服务器开放:

# sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     LIMIT       Anywhere
2375/tcp                   ALLOW       Anywhere
2376/tcp                   ALLOW       Anywhere
443                        ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
22/tcp (v6)                LIMIT       Anywhere (v6)
2375/tcp (v6)              ALLOW       Anywhere (v6)
2376/tcp (v6)              ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)

此外,nginx 仅处理 80 和 443:

server {

    listen 80;
...
server {
    listen 443 ssl;

但我并不是服务器相关配置方面的专家,所以我可能忽略了一些非常明显的东西?谢谢你的时间

更新:

阅读评论后,看起来docker可能会覆盖上面的ufw防火墙规则:

# iptables-save | grep 5432
-A POSTROUTING .... -p tcp -m tcp --dport 5432 -j MASQUERADE
-A DOCKER ! -i ... -p tcp -m tcp --dport 5432 -j DNAT --to-destination ...:5432
-A DOCKER -d ... -p tcp -m tcp --dport 5432 -j ACCEPT

答案1

问题在于,docker 正在创建绕过防火墙(ufw)规则的 iptables 规则。

我按照本指南修复了这个问题: https://devopsheaven.com/postgresql/docker/databases/security/ufw/iptables/2018/05/03/secure-postgres-docker-access.html

更多相关信息请点击这里: https://github.com/moby/moby/issues/22054

相关内容