zlacker

[return to "A story on home server security"]
1. smarx0+P4[view] [source] 2025-01-05 13:38:36
>>todsac+(OP)
Docker has a known security issue with port exposure in that it punches holes through the firewall without asking your permission, see https://github.com/moby/moby/issues/4737

I usually expose ports like `127.0.0.1:1234:1234` instead of `1234:1234`. As far as I understand, it still punches holes this way but to access the container, an attacker would need to get a packet routed to the host with a spoofed IP SRC set to `127.0.0.1`. All other solutions that are better seem to be much more involved.

◧◩
2. znpy+pc[view] [source] 2025-01-05 14:56:50
>>smarx0+P4
I avoid most docker problems by running unprivileged containers via rootless podman, on a rocky-linux based host with selinux enabled.

At this point docker should be considered legacy technology, podman is the way to go.

◧◩◪
3. diggan+df[view] [source] 2025-01-05 15:18:58
>>znpy+pc
Would that actually save you in this case? OP had their container exposed to the internet, listening for incoming remote connections. Wouldn't matter in that case if you're running a unprivileged container, podman, rocky-linux or with selinux, since everything is just wide open at that point.
◧◩◪◨
4. dboreh+Uf[view] [source] 2025-01-05 15:24:57
>>diggan+df
I think it's more about whether traffic is bound to localhost or a routable interface. Podman has different behavior vs Docker.
◧◩◪◨⬒
5. smarx0+1h[view] [source] 2025-01-05 15:32:25
>>dboreh+Uf
I think exposing 8080:8080 would result in sockets bound to 0.0.0.0:8080 in either Docker or Podman. You still need 127.0.0.1:8080:8080 for the socket binding to be 127.0.0.1:8080 in Podman. The only difference is that Podman would not punch holes in the firewall after binding on 0.0.0.0:8080, thus preventing an unintended exposure given that the firewall is set up to block all incoming connections except on 443, for example.

Edit: just confirmed this to be sure.

    $ podman run --rm -p 8000:80 docker.io/library/nginx:mainline
    $ podman ps 
    CONTAINER ID  IMAGE                             COMMAND               CREATED         STATUS         PORTS                 NAMES
    595f71b33900  docker.io/library/nginx:mainline  nginx -g daemon o...  40 seconds ago  Up 41 seconds  0.0.0.0:8000->80/tcp  youthful_bouman
    $ ss -tulpn | rg 8000

    tcp   LISTEN 0      4096                                          *:8000             *:*    users:(("rootlessport",pid=727942,fd=10))
[go to top]