I'm running a production setup with Docker on a VPS for my backend built with Node/Express and Postgres. The Docker configuration correctly exposes Postgres on port 5432, and it's working fine during local development. However, after adding port mapping (-p 5432:5432) for production, I started facing issues. The backend container crashes right away, showing an error in the logs that says "password authentication failed for user 'myuser'". Restarting seems to work temporarily if I change the Postgres password, but the issue comes back quickly. I'm concerned and have these questions:
- Can my database be compromised? How might someone gain access (like brute force attempts), and what tools do attackers commonly use?
- How can I check if there have been any unauthorized access attempts in the logs?
- Why does changing the password work for a short time?
- What's the best approach for securely setting up production? Should I avoid exposing port 5432 publicly and rely on Docker's internal networking instead?
4 Answers
Definitely don't expose the database port to the internet. Ideally, keep your backend and database on a private network and only let the backend communicate with the database. It sounds like you might be dealing with connection issues too; if your backend is trying to reconnect without properly closing previous connections, that could cause problems.
Exposing your database to the internet is risky. I'd suggest switching to a setup where your database isn't accessible externally. You can map it to 127.0.0.1 and create an SSH tunnel when you need to connect. This way, only your backend can access the database securely without being exposed online.
When you expose port 5432, you're setting yourself up as a target for attackers who look for open databases. Make sure to check your VPS firewall settings too. If it's configured to allow connections from anywhere, that's a big vulnerability. You might want to set up internal networks to keep your database safe.
It's concerning that people expose their databases like this. Bots are always scanning for open PostgreSQL ports and will try to brute force passwords. If changing the password works temporarily, it's likely that the bots just haven't cracked the new one yet. My advice? Remove the port mapping entirely and let your backend access the database through Docker's internal network.
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically