From 8fa49be49dff5afe7056341863bba0988fcdb718 Mon Sep 17 00:00:00 2001 From: houfaxin Date: Thu, 12 Feb 2026 09:57:26 +0800 Subject: [PATCH 1/3] Update best-practices-for-security-configuration.md --- best-practices-for-security-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/best-practices-for-security-configuration.md b/best-practices-for-security-configuration.md index 26ea3ad92729a..4a441f35c92b7 100644 --- a/best-practices-for-security-configuration.md +++ b/best-practices-for-security-configuration.md @@ -103,7 +103,7 @@ By default, TiDB installation includes several privileged interfaces for inter-c | Blackbox Exporter | 9115 | HTTP | | NG Monitoring | 12020 | HTTP | -It is recommended to only expose the `4000` port for the database and the `9000` port for the Grafana dashboard to ordinary users, while restricting access to other ports using network security policies or firewalls. The following is an example of using `iptables` to restrict port access: +It is recommended to only expose the `4000` port for the database and the `3000` port for the Grafana dashboard to ordinary users, while restricting access to other ports using network security policies or firewalls. The following is an example of using `iptables` to restrict port access: ```shell # Allow internal port communication from the whitelist of component IP addresses From 8da09868c79a8840f5912ce393ab404ff2e70103 Mon Sep 17 00:00:00 2001 From: houfaxin Date: Thu, 12 Feb 2026 10:02:27 +0800 Subject: [PATCH 2/3] Update best-practices-for-security-configuration.md --- best-practices-for-security-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/best-practices-for-security-configuration.md b/best-practices-for-security-configuration.md index 4a441f35c92b7..ddabcf80ee163 100644 --- a/best-practices-for-security-configuration.md +++ b/best-practices-for-security-configuration.md @@ -111,7 +111,7 @@ sudo iptables -A INPUT -s internal IP address range -j ACCEPT # Only open ports 4000 and 9000 to external users sudo iptables -A INPUT -p tcp --dport 4000 -j ACCEPT -sudo iptables -A INPUT -p tcp --dport 9000 -j ACCEPT +sudo iptables -A INPUT -p tcp --dport 3000 -j ACCEPT # Deny all other traffic by default sudo iptables -P INPUT DROP From 4f78eca58743b4dc85110af34abd7246e0468e2c Mon Sep 17 00:00:00 2001 From: houfaxin Date: Thu, 12 Feb 2026 10:02:49 +0800 Subject: [PATCH 3/3] Update best-practices-for-security-configuration.md --- best-practices-for-security-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/best-practices-for-security-configuration.md b/best-practices-for-security-configuration.md index ddabcf80ee163..c3fa7020d54c0 100644 --- a/best-practices-for-security-configuration.md +++ b/best-practices-for-security-configuration.md @@ -109,7 +109,7 @@ It is recommended to only expose the `4000` port for the database and the `3000` # Allow internal port communication from the whitelist of component IP addresses sudo iptables -A INPUT -s internal IP address range -j ACCEPT -# Only open ports 4000 and 9000 to external users +# Only open ports 4000 and 3000 to external users sudo iptables -A INPUT -p tcp --dport 4000 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 3000 -j ACCEPT