理解试图访问我的母题db的情况

Question

我有一个网站，作为一组码头集装箱运行，其中之一是一个postgres数据库，我不得不承认，我没有太多的经验，这些事情。当我查看日志时，我看到了多次猜测我的密码的尝试：

 | 2020-11-17 15:08:33.958 UTC [25042] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:33.958 UTC [25042] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:34.567 UTC [25043] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:34.567 UTC [25043] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:35.183 UTC [25044] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:35.183 UTC [25044] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:35.797 UTC [25045] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:35.797 UTC [25045] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:36.417 UTC [25046] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:36.417 UTC [25046] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:37.038 UTC [25047] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:37.038 UTC [25047] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:37.660 UTC [25048] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:37.660 UTC [25048] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:38.268 UTC [25049] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:38.268 UTC [25049] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:38.895 UTC [25050] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:41.996 UTC [25056] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:42.612 UTC [25057] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:42.612 UTC [25057] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:43.226 UTC [25058] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:43.226 UTC [25058] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:43.838 UTC [25059] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:43.838 UTC [25059] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:44.455 UTC [25060] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:44.455 UTC [25060] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:45.074 UTC [25061] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:45.074 UTC [25061] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:45.682 UTC [25062] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:45.682 UTC [25062] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:46.311 UTC [25063] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:46.311 UTC [25063] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:46.937 UTC [25064] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:46.937 UTC [25064] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:47.554 UTC [25065] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:47.554 UTC [25065] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:48.175 UTC [25066] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:48.175 UTC [25066] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-17 15:08:48.791 UTC [25067] FATAL:  password authentication failed for user "postgres"
 | 2020-11-17 15:08:48.791 UTC [25067] DETAIL:  Role "postgres" does not exist.

 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-18 01:15:50.075 UTC [28278] FATAL:  password authentication failed for user "postgres"
 | 2020-11-18 01:15:50.075 UTC [28278] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-18 01:16:23.054 UTC [28280] FATAL:  password authentication failed for user "postgres"
 | 2020-11-18 01:16:23.054 UTC [28280] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-18 01:16:23.800 UTC [28281] FATAL:  password authentication failed for user "postgres"
 | 2020-11-18 01:16:23.800 UTC [28281] DETAIL:  Role "postgres" does not exist.
 |       Connection matched pg_hba.conf line 99: "host all all all md5"
 | 2020-11-18 03:24:13.696 UTC [28537] LOG:  could not receive data from client: Connection reset by peer
 | 2020-11-18 06:29:43.520 UTC [28910] FATAL:  unsupported frontend protocol 0.0: server supports 2.0 to 3.0
 | 2020-11-18 06:29:43.707 UTC [28911] FATAL:  unsupported frontend protocol 255.255: server supports 2.0 to 3.0
 | 2020-11-18 06:29:43.891 UTC [28912] FATAL:  no PostgreSQL user name specified in startup packet
 | 2020-11-18 11:38:43.544 UTC [29529] FATAL:  unsupported frontend protocol 65363.19778: server supports 2.0 to 3.0

还有更多这样的台词。我试图了解这里发生了什么；我认为只有以下端口(不包括postgres端口)为我的服务器打开：

# sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     LIMIT       Anywhere
2375/tcp                   ALLOW       Anywhere
2376/tcp                   ALLOW       Anywhere
443                        ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
22/tcp (v6)                LIMIT       Anywhere (v6)
2375/tcp (v6)              ALLOW       Anywhere (v6)
2376/tcp (v6)              ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)

另外，nginx只处理80和443：

server {

    listen 80;
...
server {
    listen 443 ssl;

但是我不是一个与服务器相关的专家，所以我可能遗漏了一些很明显的东西？谢谢你抽出时间

更新：

在阅读了这些评论之后，看来停靠者可能正在覆盖ufw防火墙的上述规则：

# iptables-save | grep 5432
-A POSTROUTING .... -p tcp -m tcp --dport 5432 -j MASQUERADE
-A DOCKER ! -i ... -p tcp -m tcp --dport 5432 -j DNAT --to-destination ...:5432
-A DOCKER -d ... -p tcp -m tcp --dport 5432 -j ACCEPT

Answer 1

问题在于，对接者正在创建绕过防火墙(ufw)规则的iptable规则。

我按照以下指南修正了它：https://devopsheaven.com/postgresql/docker/databases/security/ufw/iptables/2018/05/03/secure-postgres-docker-access.html

这里有更多相关信息：https://github.com/moby/moby/issues/22054