zlacker

[return to "A story on home server security"]
1. smarx0+P4[view] [source] 2025-01-05 13:38:36
>>todsac+(OP)
Docker has a known security issue with port exposure in that it punches holes through the firewall without asking your permission, see https://github.com/moby/moby/issues/4737

I usually expose ports like `127.0.0.1:1234:1234` instead of `1234:1234`. As far as I understand, it still punches holes this way but to access the container, an attacker would need to get a packet routed to the host with a spoofed IP SRC set to `127.0.0.1`. All other solutions that are better seem to be much more involved.

◧◩
2. bluedi+G5[view] [source] 2025-01-05 13:49:49
>>smarx0+P4
Containers are widely used at our company, by developers who don't understand underlying concepts, and they often expose services on all interfaces, or to all hosts.

You can explain this to them, they don't care, you can even demonstrate how you can access their data without permission, and they don't get it.

Their app "works" and that's the end of it.

Ironically enough even cybersecurity doesn't catch them for it, they are too busy harassing other teams about out of date versions of services that are either not vulnerable, or already patched but their scanning tools don't understand that.

◧◩◪
3. dijit+R7[view] [source] 2025-01-05 14:17:49
>>bluedi+G5
This is pretty common, developers are focused on making things that work.

Sysadmins were always the ones who focused on making things secure, and for a bunch of reasons they basically don’t exist anymore.

EDIT: what guidelines did I break?

◧◩◪◨
4. harral+CG1[view] [source] 2025-01-06 05:07:31
>>dijit+R7
Sometimes when you work less rigidly as a team, covering for others when it’s convenient for you, everyone gets more things done with less stress and less trouble.

And you go home at 5pm and had a good work day.

[go to top]