From a3cb4d8d4ad3d36ce522484318944cb94c05f566 Mon Sep 17 00:00:00 2001 From: houfaxin Date: Thu, 12 Feb 2026 09:57:26 +0800 Subject: [PATCH 1/3] Update best-practices-for-security-configuration.md --- best-practices-for-security-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/best-practices-for-security-configuration.md b/best-practices-for-security-configuration.md index 36053b8f868e3..67fc1a8ee3865 100644 --- a/best-practices-for-security-configuration.md +++ b/best-practices-for-security-configuration.md @@ -101,7 +101,7 @@ By default, TiDB installation includes several privileged interfaces for inter-c | Blackbox Exporter | 9115 | HTTP | | NG Monitoring | 12020 | HTTP | -It is recommended to only expose the `4000` port for the database and the `9000` port for the Grafana dashboard to ordinary users, while restricting access to other ports using network security policies or firewalls. The following is an example of using `iptables` to restrict port access: +It is recommended to only expose the `4000` port for the database and the `3000` port for the Grafana dashboard to ordinary users, while restricting access to other ports using network security policies or firewalls. The following is an example of using `iptables` to restrict port access: ```shell # Allow internal port communication from the whitelist of component IP addresses From ab1fa6e028aef4080c81b8d7baed1ce08ec93409 Mon Sep 17 00:00:00 2001 From: houfaxin Date: Thu, 12 Feb 2026 10:02:27 +0800 Subject: [PATCH 2/3] Update best-practices-for-security-configuration.md --- best-practices-for-security-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/best-practices-for-security-configuration.md b/best-practices-for-security-configuration.md index 67fc1a8ee3865..641395e8d8314 100644 --- a/best-practices-for-security-configuration.md +++ b/best-practices-for-security-configuration.md @@ -109,7 +109,7 @@ sudo iptables -A INPUT -s internal IP address range -j ACCEPT # Only open ports 4000 and 9000 to external users sudo iptables -A INPUT -p tcp --dport 4000 -j ACCEPT -sudo iptables -A INPUT -p tcp --dport 9000 -j ACCEPT +sudo iptables -A INPUT -p tcp --dport 3000 -j ACCEPT # Deny all other traffic by default sudo iptables -P INPUT DROP From d783576aa7cad8d126da2b006b2f0df61b59bff2 Mon Sep 17 00:00:00 2001 From: houfaxin Date: Thu, 12 Feb 2026 10:02:49 +0800 Subject: [PATCH 3/3] Update best-practices-for-security-configuration.md --- best-practices-for-security-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/best-practices-for-security-configuration.md b/best-practices-for-security-configuration.md index 641395e8d8314..91cf576bd68d5 100644 --- a/best-practices-for-security-configuration.md +++ b/best-practices-for-security-configuration.md @@ -107,7 +107,7 @@ It is recommended to only expose the `4000` port for the database and the `3000` # Allow internal port communication from the whitelist of component IP addresses sudo iptables -A INPUT -s internal IP address range -j ACCEPT -# Only open ports 4000 and 9000 to external users +# Only open ports 4000 and 3000 to external users sudo iptables -A INPUT -p tcp --dport 4000 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 3000 -j ACCEPT