Michael de Silva's Blog

Software Engineer. Rubyist and Roboticist.

Michael de Silva's Blog

Software Engineer. Rubyist and Roboticist.

HOWTO Secure Docker & Prevent Leaking Access to Hackers

Docker needs to be configured to prevent leaking container ports to the outside world and there are two approaches, depending on your version of Ubuntu installed.

For sysvinit and upstart based systems, you can edit /etc/default/docker and change the docker options ENV var to DOCKER_OPTS="-r=false --iptables=false".

Since I'm using Ubuntu v16.x LTS running systemd I performed the following

$ mkdir /etc/systemd/system/docker.service.d
$ cat << EOF > /etc/systemd/system/docker.service.d/noiptables.conf
[Service]
ExecStart=
ExecStart=/usr/bin/docker daemon -H fd:// --iptables=false
EOF

$ service docker restart

Initially, nmap reported this port as open 6379/tcp open unknown, however, with the above service drop-in activated by restarting the docker service and ensuring ufw is active, this port is now shown as filtered (since ufw blocks all non-whitelisted inbound access) —

-> % ufw allow 22/tcp
-> % ufw enable

-> % nmap -P0 128.xxx.xxx.xx -p 6379

Starting Nmap 7.12 ( https://nmap.org ) at 2017-03-01 18:32 IST
Nmap scan report for 128.xxx.xxx.xx
Host is up.
PORT     STATE    SERVICE
6379/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 2.10 seconds

References

comments powered by Disqus