zlacker

[return to "I got hacked: My Hetzner server started mining Monero"]
1. V__+N4[view] [source] 2025-12-17 21:39:21
>>jakels+(OP)
> The Reddit post I’d seen earlier? That guy got completely owned because his container was running as root. The malware could: [...]

Is that the case, though? My understanding was, that even if I run a docker container as root and the container is 100% compromised, there still would need to be a vulnerability in docker for it to “attack” the host, or am I missing something?

◧◩
2. d4mi3n+R9[view] [source] 2025-12-17 22:03:49
>>V__+N4
While this is true, the general security stance on this is: Docker is not a security boundary. You should not treat it like one. It will only give you _process level_ isolation. If you want something with better security guarantees, you can use a full VM (KVM/QEMU), something like gVisor[1] to limit the attack surface of a containerized process, or something like Firecracker[2] which is designed for multi-tenancy.

The core of the problem here is that process isolation doesn't save you from whole classes of attack vectors or misconfigurations that open you up to nasty surprises. Docker is great, just don't think of it as a sandbox to run untrusted code.

1. https://gvisor.dev/

2. https://firecracker-microvm.github.io/

◧◩◪
3. socalg+gg[view] [source] 2025-12-17 22:40:48
>>d4mi3n+R9
that's a really good point .. but, I think 99% of docker users believe it is a a sandbox and treat it as such.
◧◩◪◨
4. Tactic+hz[view] [source] 2025-12-18 01:03:04
>>socalg+gg
Not 99%. Many people run an hypervisor and then a VM just for Docker.

Attacker now needs a Docker exploit and then a VM exploit before getting to the hypervisor (and, no, pwning the VM ain't the same as pwning the hypervisor).

◧◩◪◨⬒
5. windex+JU[view] [source] 2025-12-18 05:16:11
>>Tactic+hz
Agreed - this is actually pretty common in the Proxmox realm of hosters. I segment container nodes using LXC, and in some specific cases I'll use a VM.

Not only does it allow me to partition the host for workloads but I also get security boundaries as well. While it may be a slight performance hit the segmentation also makes more logical sense in the way I view the workloads. Finally, it's trivial to template and script, so it's very low maintenance and allows for me to kill an LXC and just reprovision it if I need to make any significant changes. And I never need to migrate any data in this model (or very rarely).

[go to top]