ConfigClarity

Free browser-based DevOps audit tools โ€” no signup, nothing leaves your browser

Home โ€บ Fix โ€บ Docker โ€บ Port exposure

Fix Docker port exposure

Bind to 127.0.0.1, not 0.0.0.0 โ€” before automated scanners find your Redis

The problem

When you write ports: "6379:6379" in docker-compose.yml, Docker binds to 0.0.0.0 โ€” all network interfaces, including your public IP. Docker also bypasses UFW by inserting iptables rules directly. Result: your database is on the internet.

โŒ Publicly accessible โ€” bots find this in minutes 
services:
  redis:
    image: redis:7
    ports:
      - "6379:6379"
  postgres:
    image: postgres:15
    ports:
      - "5432:5432"
  mongo:
    image: mongo:6
    ports:
      - "27017:27017"
โœ… Fixed โ€” only accessible from localhost 
services:
  redis:
    image: redis:7
    ports:
      - "127.0.0.1:6379:6379"
  postgres:
    image: postgres:15
    ports:
      - "127.0.0.1:5432:5432"
  mongo:
    image: mongo:6
    ports:
      - "127.0.0.1:27017:27017"

Or remove ports entirely for internal services

If only other containers need to reach a service, remove the ports: block entirely. Container-to-container communication uses service names on the Docker network โ€” no host port needed.

โœ… Best โ€” no host port exposure at all 
services:
  app:
    image: myapp
    ports:
      - "127.0.0.1:8080:8080"  # Only if you need host access
  redis:
    image: redis:7
    # No ports: โ€” app connects via "redis:6379" internally
  postgres:
    image: postgres:15
    # No ports: โ€” app connects via "postgres:5432" internally

Verify the fix

# Apply the change
docker compose down && docker compose up -d

# Verify from your server โ€” should connect (localhost)
redis-cli -h 127.0.0.1 -p 6379 ping

# Verify from outside โ€” turn off Wi-Fi, use mobile data
curl --connect-timeout 5 http://YOUR_SERVER_IP:6379
# Should timeout or refuse โ€” if it connects, port is still exposed

Audit all 0.0.0.0 bindings automatically

Paste your docker-compose.yml and the Docker Auditor flags every exposed port with the exact 127.0.0.1 fix.

Open Docker Auditor โ†’

Frequently Asked Questions

Does this break my app that connects to the database?

No โ€” if your app runs in a container on the same Docker network, it connects to the database by service name (e.g. postgres:5432), not by host IP. The 127.0.0.1 binding only affects external access from outside the host.

Why doesn't UFW block Docker ports?

Docker writes rules directly to the iptables PREROUTING chain, which executes before UFW's INPUT chain. UFW never sees the traffic. The only reliable fix is binding to 127.0.0.1 or removing the port mapping entirely.

My Redis has a password set โ€” is it still a risk?

Yes. Redis passwords can be brute-forced, and some Redis versions have authentication bypass vulnerabilities. Default Docker Redis images have weak configurations. The 127.0.0.1 binding is a defence-in-depth measure regardless of authentication.

What about Ollama on port 11434?

Ollama has no authentication. If you're running Ollama in Docker with ports: "11434:11434", anyone can send inference requests to your GPU. Always use 127.0.0.1:11434:11434 unless you explicitly need remote access.

Related Glossary Terms