我有一个网站,它由一组 Docker 容器组成,其中一个容器是 Postgres 数据库,我不得不承认,我对这些东西没有太多经验。当我查看日志时,我看到了多次猜测我密码的尝试:
| 2020-11-17 15:08:33.958 UTC [25042] FATAL: password authentication failed for user "postgres"
| 2020-11-17 15:08:33.958 UTC [25042] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-17 15:08:34.567 UTC [25043] FATAL: password authentication failed for user "postgres"
| 2020-11-17 15:08:34.567 UTC [25043] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-17 15:08:35.183 UTC [25044] FATAL: password authentication failed for user "postgres"
| 2020-11-17 15:08:35.183 UTC [25044] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-17 15:08:35.797 UTC [25045] FATAL: password authentication failed for user "postgres"
| 2020-11-17 15:08:35.797 UTC [25045] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-17 15:08:36.417 UTC [25046] FATAL: password authentication failed for user "postgres"
| 2020-11-17 15:08:36.417 UTC [25046] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-17 15:08:37.038 UTC [25047] FATAL: password authentication failed for user "postgres"
| 2020-11-17 15:08:37.038 UTC [25047] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-17 15:08:37.660 UTC [25048] FATAL: password authentication failed for user "postgres"
| 2020-11-17 15:08:37.660 UTC [25048] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-17 15:08:38.268 UTC [25049] FATAL: password authentication failed for user "postgres"
| 2020-11-17 15:08:38.268 UTC [25049] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-17 15:08:38.895 UTC [25050] FATAL: password authentication failed for user "postgres"
| 2020-11-17 15:08:41.996 UTC [25056] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-17 15:08:42.612 UTC [25057] FATAL: password authentication failed for user "postgres"
| 2020-11-17 15:08:42.612 UTC [25057] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-17 15:08:43.226 UTC [25058] FATAL: password authentication failed for user "postgres"
| 2020-11-17 15:08:43.226 UTC [25058] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-17 15:08:43.838 UTC [25059] FATAL: password authentication failed for user "postgres"
| 2020-11-17 15:08:43.838 UTC [25059] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-17 15:08:44.455 UTC [25060] FATAL: password authentication failed for user "postgres"
| 2020-11-17 15:08:44.455 UTC [25060] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-17 15:08:45.074 UTC [25061] FATAL: password authentication failed for user "postgres"
| 2020-11-17 15:08:45.074 UTC [25061] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-17 15:08:45.682 UTC [25062] FATAL: password authentication failed for user "postgres"
| 2020-11-17 15:08:45.682 UTC [25062] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-17 15:08:46.311 UTC [25063] FATAL: password authentication failed for user "postgres"
| 2020-11-17 15:08:46.311 UTC [25063] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-17 15:08:46.937 UTC [25064] FATAL: password authentication failed for user "postgres"
| 2020-11-17 15:08:46.937 UTC [25064] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-17 15:08:47.554 UTC [25065] FATAL: password authentication failed for user "postgres"
| 2020-11-17 15:08:47.554 UTC [25065] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-17 15:08:48.175 UTC [25066] FATAL: password authentication failed for user "postgres"
| 2020-11-17 15:08:48.175 UTC [25066] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-17 15:08:48.791 UTC [25067] FATAL: password authentication failed for user "postgres"
| 2020-11-17 15:08:48.791 UTC [25067] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-18 01:15:50.075 UTC [28278] FATAL: password authentication failed for user "postgres"
| 2020-11-18 01:15:50.075 UTC [28278] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-18 01:16:23.054 UTC [28280] FATAL: password authentication failed for user "postgres"
| 2020-11-18 01:16:23.054 UTC [28280] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-18 01:16:23.800 UTC [28281] FATAL: password authentication failed for user "postgres"
| 2020-11-18 01:16:23.800 UTC [28281] DETAIL: Role "postgres" does not exist.
| Connection matched pg_hba.conf line 99: "host all all all md5"
| 2020-11-18 03:24:13.696 UTC [28537] LOG: could not receive data from client: Connection reset by peer
| 2020-11-18 06:29:43.520 UTC [28910] FATAL: unsupported frontend protocol 0.0: server supports 2.0 to 3.0
| 2020-11-18 06:29:43.707 UTC [28911] FATAL: unsupported frontend protocol 255.255: server supports 2.0 to 3.0
| 2020-11-18 06:29:43.891 UTC [28912] FATAL: no PostgreSQL user name specified in startup packet
| 2020-11-18 11:38:43.544 UTC [29529] FATAL: unsupported frontend protocol 65363.19778: server supports 2.0 to 3.0
还有更多类似的内容。我试图了解这里发生了什么;我认为只有以下端口(不包括 postgres 端口)对我的服务器开放:
# sudo ufw status
Status: active
To Action From
-- ------ ----
22/tcp LIMIT Anywhere
2375/tcp ALLOW Anywhere
2376/tcp ALLOW Anywhere
443 ALLOW Anywhere
443/tcp ALLOW Anywhere
22/tcp (v6) LIMIT Anywhere (v6)
2375/tcp (v6) ALLOW Anywhere (v6)
2376/tcp (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
此外,nginx 仅处理 80 和 443:
server {
listen 80;
...
server {
listen 443 ssl;
但我并不是服务器相关配置方面的专家,所以我可能忽略了一些非常明显的东西?谢谢你的时间
更新:
阅读评论后,看起来docker可能会覆盖上面的ufw防火墙规则:
# iptables-save | grep 5432
-A POSTROUTING .... -p tcp -m tcp --dport 5432 -j MASQUERADE
-A DOCKER ! -i ... -p tcp -m tcp --dport 5432 -j DNAT --to-destination ...:5432
-A DOCKER -d ... -p tcp -m tcp --dport 5432 -j ACCEPT
答案1
问题在于,docker 正在创建绕过防火墙(ufw)规则的 iptables 规则。
我按照本指南修复了这个问题: https://devopsheaven.com/postgresql/docker/databases/security/ufw/iptables/2018/05/03/secure-postgres-docker-access.html
更多相关信息请点击这里: https://github.com/moby/moby/issues/22054