zlacker

[return to "A story on home server security"]
1. smarx0+P4[view] [source] 2025-01-05 13:38:36
>>todsac+(OP)
Docker has a known security issue with port exposure in that it punches holes through the firewall without asking your permission, see https://github.com/moby/moby/issues/4737

I usually expose ports like `127.0.0.1:1234:1234` instead of `1234:1234`. As far as I understand, it still punches holes this way but to access the container, an attacker would need to get a packet routed to the host with a spoofed IP SRC set to `127.0.0.1`. All other solutions that are better seem to be much more involved.

◧◩
2. bluedi+G5[view] [source] 2025-01-05 13:49:49
>>smarx0+P4
Containers are widely used at our company, by developers who don't understand underlying concepts, and they often expose services on all interfaces, or to all hosts.

You can explain this to them, they don't care, you can even demonstrate how you can access their data without permission, and they don't get it.

Their app "works" and that's the end of it.

Ironically enough even cybersecurity doesn't catch them for it, they are too busy harassing other teams about out of date versions of services that are either not vulnerable, or already patched but their scanning tools don't understand that.

◧◩◪
3. nitwit+IE3[view] [source] 2025-01-06 20:36:58
>>bluedi+G5
There are certainly people that don't care about security out there, but the biggest issue is just how much people are expected to know.

Docker, AWS, Kubernetes, some wrapper they've put around Kubernetes, a bunch of monitoring tools, etc.

And none of it will be their main job, so they'll just try to get something working by copying a working example, or reading a tutorial.

[go to top]