zlacker

[return to "A story on home server security"]
1. smarx0+P4[view] [source] 2025-01-05 13:38:36
>>todsac+(OP)
Docker has a known security issue with port exposure in that it punches holes through the firewall without asking your permission, see https://github.com/moby/moby/issues/4737

I usually expose ports like `127.0.0.1:1234:1234` instead of `1234:1234`. As far as I understand, it still punches holes this way but to access the container, an attacker would need to get a packet routed to the host with a spoofed IP SRC set to `127.0.0.1`. All other solutions that are better seem to be much more involved.

◧◩
2. veyh+qh[view] [source] 2025-01-05 15:35:41
>>smarx0+P4
I wonder how many people realize you can use the whole 127.0.0.0/8 address space, not just 127.0.0.1. I usually use a random address in that space for all of a specific project's services that need to be exposed, like 127.1.2.3:3000 for web and 127.1.2.3:5432 for postgres.
◧◩◪
3. 9dev+nM[view] [source] 2025-01-05 19:38:14
>>veyh+qh
Also, many people don’t remember that those zeros in between numbers in IPs can be slashed, so pinging 127.1 works fine. This is also the reason why my home network is a 10.0.0.0/24—don’t need the bigger address space, but reaching devices at 10.1 sure is convenient!
◧◩◪◨
4. diggan+lW[view] [source] 2025-01-05 21:00:50
>>9dev+nM
I had no idea about this, and been computing for almost 20 years now, thanks!

Trying to get ping to ping `0.0.0.0` was interesting

    $ ping -c 1 ""
    ping: : Name or service not known

    $ ping -c 1 "."
    ping: .: No address associated with hostname

    $ ping -c 1 "0."
    ^C

    $ ping -c 1 ".0"
    ping: .0: Name or service not known

    $ ping -c 1 "0"
    PING 0 (127.0.0.1) 56(84) bytes of data.
    64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.028 ms

    $ ping -c 1 "0.0"
    PING 0.0 (127.0.0.1) 56(84) bytes of data.
    64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.026 ms
[go to top]