While testing a Docker deployment of hellopaint.io on a Hetzner root server, I discovered some startling gaps in network security. The server was configured with Uncomplicated Firewall (ufw) to explicitly allow traffic on specific ports, with the assumption that the exposed ports would only be accessible on the host due to ufw. In this test environment, because of my initial assessment, I didn't set up a secure database password.
One fateful morning, I received a network abuse report for my Hetzner server with an accompanying order for lockdown. Apparently, Docker bypasses the ufw, and my PostgreSQL database with a weak password was left exposed on the internet. It seems an automatic scan found it and hacked into it, scouring for more targets. Fortuitously, they were unable to breach the container leaving minimal damage in their wake (aside from my heightened stress level).
The moral of the story is, strong passwords should always be your practice, whether in a testing or production environment.
Refer to ufw-docker for more insight into this Docker vs ufw loophole and how to mitigate such a risk. An equally enlightening tale, sure to raise a few hairs, can also be found here: blog.newsblur.com.