[stevekemp]

The guide exposes the back-end webserver to the public, by accident.

Instead of:

    ports:
      - "2368:2368"
    expose:
      - "2368"

The author probably just needs:

    ports:
      - 127.0.0.1:2368:2368

That way "localhost:2368" will be routed to 2368 inside the container, such that caddy can access it, but not accessible externally, as it is right now:

    $ curl -v https://sphuff.com:2368

Though of course the ideal solution would be to run caddy as another container, and link them together.

[dawnerd]

I see this a lot with redis in docker compose as well. I've even done it by mistake.

Also why the heck doesn't redis have auth by default. It's so ridiculously easy to get "hacked" and inadvertently run a crypto miner.

[WJW]

Can you run a crypto miner as a lua script in Redis? That is actually kinda cool tbh. You'd notice pretty quickly since Redis won't respond anymore.

[dawnerd]

Little more complex than that. They issue a command that ends up downloading a bunch of shell scripts and goes from there. Does a lot of other nasty things too like trying to steal any ssh key on the machine to presumably use those machines to mine.

Luckily running inside of docker prevents a lot of that by default.

It is very noticeable though when you log into your dev server and the cpu is pegged at 100%.

I copied some of what it did here: https://gist.github.com/dawnerd/50915749d05d865025b447d5941f...