zlacker

[return to "I got hacked: My Hetzner server started mining Monero"]
1. except+Jp[view] [source] 2025-12-17 23:43:39
>>jakels+(OP)
The first step I would take is running podman instead of Docker to prevent container escapes. Podman can be run truly rootless and doesn't mess with your firewall. Next I would drop all caps if possible.
◧◩
2. doodle+7q[view] [source] 2025-12-17 23:46:09
>>except+Jp
What's the difference between running Podman and running Docker in rootless mode? (Other than Docker messing with the firewall, which apparently OP doesn't know about… yet). I understand Podman doesn't require a daemon, but is that all there is to it, or is there something I'm missing?
◧◩◪
3. except+cs[view] [source] 2025-12-18 00:03:08
>>doodle+7q
The runtime has been designed from the ground up to be run daemonless and rootless. They also have a K8s runtime, that has an extremely small surface, just enough to be K8s compliant.

But podman has also great integration with systemd. With that you could use a socket activated systemd unit, and stick the socket inside the container, instead of giving the container any network at all. And even if you want networking in the container, the podman folks developed slirp4netns, which is user space networking, and now something even better: passt/pasta.

[go to top]