zlacker

[return to "I got hacked: My Hetzner server started mining Monero"]
1. tgtwea+Bf[view] [source] 2025-12-17 22:37:20
>>jakels+(OP)
Just a note - you can very much limit cpu usage on the docker containers by setting --cpus="0.5" (or cpus:0.5 in docker compose) if you expect it to be a very lightweight container, this isolation can help prevent one roudy container from hitting the rest of the system regardless of whether it's crypto-mining malware, a ddos attempt or a misbehaving service/software.
◧◩
2. tracke+5l[view] [source] 2025-12-17 23:10:55
>>tgtwea+Bf
Another is running containers in read-only mode, assuming they support this configuration... will minimize a lot of potential attack surface.
◧◩◪
3. 3eb798+BQ[view] [source] 2025-12-18 04:15:14
>>tracke+5l
Never looked into this. I would expect the majority of images would fail in this configuration. Or am I unduly pessimistic?
◧◩◪◨
4. tracke+Yl3[view] [source] 2025-12-18 20:48:47
>>3eb798+BQ
It's hit or miss... you sometimes have to make /tmp writable or another data directory... some images just don't operate right because of initialization steps that happen on first run. It's hit or miss and depends... but a lot of your own apps can definitely be made to work with limited, or no write surface.
[go to top]