While setting up my VPS I made sure to open only the necessary ports through UFW. Later I installed Docker and deployed a few services with a couple of private ports for control. I mapped those ports to the host expecting that they wouldn't be available to the wider internet since UFW had no rules to allow them.
I was wrong.
Turns out that Docker, on a Linux server, creates its own rules and pushes them directly to IPTables, the actual Linux host firewall, while ignoring the UFW set.
Solution number 1:
If you are hosting any Docker services on a VPS with direct connection to the internet NEVER map the internal container ports to the host machine without some form of IP prefix to narrow down the availability of those ports, e.g.:
ports: - 127.0.0.1:9100:9100
instead of :
ports: - 9100:9100
This way the port 9100 for instance will only be available to your localhost and not the wider internet.
Solution number 2:
If you happen to be running nginx proxy manager you should disable all port mapping through your docker-compose files and route everything through the internal docker network that nginx and your other applications should be sharing. As for the private ports made available through nginx this time, you should add Access Lists with your VPN or other private IPs that you connect with to your VPS.