From 1f99c01ec465230a67d0af255b5c90feda06cd31 Mon Sep 17 00:00:00 2001
From: houfaxin <hfxsd@hotmail.com>
Date: Sat, 11 Oct 2025 15:41:22 +0800
Subject: [PATCH 1/3] Update best-practices-for-security-configuration.md

---
 best-practices-for-security-configuration.md | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/best-practices-for-security-configuration.md b/best-practices-for-security-configuration.md
index 404db2fb582f2..51a6537206da0 100644
--- a/best-practices-for-security-configuration.md
+++ b/best-practices-for-security-configuration.md
@@ -58,7 +58,7 @@ By default, TiDB Dashboard is designed for trusted users. The default port inclu
 
 By default, TiDB installation includes several privileged interfaces for inter-component communication. These ports typically do not need to be accessible to users, because they are primarily for internal communication. Exposing these ports on public networks increases the attack surface, violates the principle of least privilege, and raises the risk of security vulnerabilities. The following table lists the default listening ports in a TiDB cluster:
 
-| Component                | Default port | Protocol       |
+| Component         | Default port| Protocol   |
 |-------------------|-------------|------------|
 | TiDB              | 4000        | MySQL      |
 | TiDB              | 10080       | HTTP       |
@@ -70,15 +70,15 @@ By default, TiDB installation includes several privileged interfaces for inter-c
 | TiFlash           | 20170       | Protocol   |
 | TiFlash           | 20292       | HTTP       |
 | TiFlash           | 8234        | HTTP       |
-| TiFlow            |  8261 | HTTP  |
-| TiFlow            |  8291 | HTTP  |
-| TiFlow            |  8262     | HTTP  |
-| TiFlow            |  8300    | HTTP       |
+| DM master         | 8261        | HTTP       |
+| DM master         | 8291        | HTTP       |
+| DM worker         | 8262        | HTTP       |
+| TiCDC             | 8300        | HTTP       |
 | TiDB Lightning    | 8289        | HTTP       |
 | TiDB Operator     | 6060        | HTTP       |
 | TiDB Dashboard    | 2379        | HTTP       |
-| TiDB Binlog       |  8250  | HTTP       |
-| TiDB Binlog       |  8249 | HTTP      |
+| TiDB Binlog       | 8250        | HTTP       |
+| TiDB Binlog       | 8249        | HTTP       |
 | TMS               | 8082        | HTTP       |
 | TEM               | 8080        | HTTP       |
 | TEM               | 8000        | HTTP       |
@@ -92,7 +92,7 @@ By default, TiDB installation includes several privileged interfaces for inter-c
 | AlertManager      | 9093        | HTTP       |
 | AlertManager      | 9094        | Protocol   |
 | Node Exporter     | 9100        | HTTP       |
-| Blackbox Exporter | 9115       | HTTP       |
+| Blackbox Exporter | 9115        | HTTP       |
 | NG Monitoring     | 12020       | HTTP       |
 
 It is recommended to only expose the `4000` port for the database and the `9000` port for the Grafana dashboard to ordinary users, while restricting access to other ports using network security policies or firewalls. The following is an example of using `iptables` to restrict port access:

From 2738a9d0f0f08f137411c8fc82ac725158b7bbb6 Mon Sep 17 00:00:00 2001
From: houfaxin <hfxsd@hotmail.com>
Date: Sat, 11 Oct 2025 16:05:20 +0800
Subject: [PATCH 2/3] Update best-practices-for-security-configuration.md

---
 best-practices-for-security-configuration.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/best-practices-for-security-configuration.md b/best-practices-for-security-configuration.md
index 51a6537206da0..1e3b7a4a416ff 100644
--- a/best-practices-for-security-configuration.md
+++ b/best-practices-for-security-configuration.md
@@ -77,8 +77,6 @@ By default, TiDB installation includes several privileged interfaces for inter-c
 | TiDB Lightning    | 8289        | HTTP       |
 | TiDB Operator     | 6060        | HTTP       |
 | TiDB Dashboard    | 2379        | HTTP       |
-| TiDB Binlog       | 8250        | HTTP       |
-| TiDB Binlog       | 8249        | HTTP       |
 | TMS               | 8082        | HTTP       |
 | TEM               | 8080        | HTTP       |
 | TEM               | 8000        | HTTP       |

From 7aa2eb845abec4d1fb53e26ad094a5130aa91801 Mon Sep 17 00:00:00 2001
From: xixirangrang <hfxsd@hotmail.com>
Date: Sat, 11 Oct 2025 16:16:17 +0800
Subject: [PATCH 3/3] Update best-practices-for-security-configuration.md

---
 best-practices-for-security-configuration.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/best-practices-for-security-configuration.md b/best-practices-for-security-configuration.md
index 1e3b7a4a416ff..03acccc968f34 100644
--- a/best-practices-for-security-configuration.md
+++ b/best-practices-for-security-configuration.md
@@ -77,6 +77,8 @@ By default, TiDB installation includes several privileged interfaces for inter-c
 | TiDB Lightning    | 8289        | HTTP       |
 | TiDB Operator     | 6060        | HTTP       |
 | TiDB Dashboard    | 2379        | HTTP       |
+| TiDB Binlog       |  8250  | HTTP       |
+| TiDB Binlog       |  8249 | HTTP      |
 | TMS               | 8082        | HTTP       |
 | TEM               | 8080        | HTTP       |
 | TEM               | 8000        | HTTP       |