14. If you can ping it, you can try to hack it
--icc=false
$ cat /etc/hosts
172.17.9.121 st_undefined_x7gd_RrD04w81FSQAANX
172.17.0.220 the-warden.bridge
172.17.9.118 st_nkxqyj_d2d.bridge
172.17.9.119 st_4jm1qk_d2d0
172.17.9.106 angry_blackwell
17. “It also allows the container to access local
network services + like D-bus and is therefore
considered insecure”
$ docker run --net=host -it ubuntu bash
root@ubuntu:/# shutdown now
root@ubuntu:/#
$ docker run --net=host -it ubuntu bash
Post http://docker:4243/v1.20/containers/create: EOF.
* Are you trying to connect to a TLS-enabled daemon without TLS?
* Is your docker daemon up and running?
24. Root users can write to it. If you can write to it,
you can fill it.
$ ls /docker/aufs/diff/<container-id>/
$ cat /docker/containers/<container-id>/hosts
33. A lot more…
• Privileged containers open up a world of
pain
• setuid / setgid
• IPTables=false
• docker.sock opens a lot of doors
• Docker Images containing “presents”
34. $ docker run benhall/cute-kittens
Error: Missing docker.sock
Usage: docker run -v /var/run/docker.sock:/var/run/docker.sock
benhall/cute-kittens
$ docker run -v /var/run/docker.sock:/var/run/docker.sock
benhall/cute-kittens
35. if [ -e /var/run/docker.sock ]; then
echo "**** Launching ****”
docker run --privileged busybox ls /dev
echo "**** Cute kittens ****"
else
echo "Error: Missing docker.sock”
fi
41. C /bin
C /bin/netstat
C /bin/ps
C /bin/ss
C /etc
C /etc/init.d
A /etc/init.d/DbSecuritySpt
A /etc/init.d/selinux
C /etc/rc1.d
A /etc/rc1.d/S97DbSecuritySpt
A /etc/rc1.d/S99selinux
C /etc/rc2.d
A /etc/rc2.d/S97DbSecuritySpt
A /etc/rc2.d/S99selinux
C /etc/rc3.d
A /etc/rc3.d/S97DbSecuritySpt
A /etc/rc3.d/S99selinux
C /etc/rc4.d
A /etc/rc4.d/S97DbSecuritySpt
A /etc/rc4.d/S99selinux
C /etc/rc5.d
http://blog.benhall.me.uk/2015/09/what-happens-when-an-elasticsearch-container-is-hacked/
A /etc/rc5.d/S97DbSecuritySpt
A /etc/rc5.d/S99selinux
C /etc/ssh
A /etc/ssh/bfgffa
A /os6
A /safe64
C /tmp
A /tmp/.Mm2
A /tmp/64
A /tmp/6Sxx
A /tmp/6Ubb
A /tmp/DDos99
A /tmp/cmd.n
A /tmp/conf.n
A /tmp/ddos8
A /tmp/dp25
A /tmp/frcc
A /tmp/gates.lod
A /tmp/hkddos
A /tmp/hsperfdata_root
A /tmp/linux32
A /tmp/linux64
A /tmp/manager
A /tmp/moni.lod
A /tmp/nb
A /tmp/o32
A /tmp/oba
A /tmp/okml
A /tmp/oni
A /tmp/yn25
C /usr
C /usr/bin
A /usr/bin/.sshd
A /usr/bin/dpkgd
A /usr/bin/dpkgd/netstat
A /usr/bin/dpkgd/ps
A /usr/bin/dpkgd/ss
42. Is Docker Secure?
• Yes. It’s as secure as your practices are.
• ElasticSearch hack would have taken over
entire box
• I’ve pointed out the bad bits
• New game, new rules to play by.
User namespaces in 1.9 removes net=host
https://github.com/dotcloud/docker/issues/6401
:(){ :|:& };:
\_/| |||| ||\- ... the function ':', initiating a chain-reaction: each ':' will start two more.
| | |||| |\- Definition ends now, to be able to run ...
| | |||| \- End of function-block
| | |||\- disown the functions (make them a background process), so that the children of a parent
| | ||| will not be killed when the parent gets auto-killed
| | ||\- ... another copy of the ':'-function, which has to be loaded into memory.
| | || So, ':|:' simply loads two copies of the function, whenever ':' is called
| | |\- ... and pipe its output to ...
| | \- Load a copy of the function ':' into memory ...
| \- Begin of function-definition
\- Define the function ':' without any parameters '()' as follows:
User namespaces in 1.9 removes net=host
https://github.com/dotcloud/docker/issues/6401
https://github.com/docker/docker/pull/11485
https://github.com/docker/docker/issues/3804
User namespaces in 1.9 removes net=host
https://github.com/dotcloud/docker/issues/6401
Docker & IPTables allows you some restrictions
By-passed via NGrok / reverse proxies.
Any Command & Control approaches
Inbound – Waste bandwidth. Seed files.
Outbound – DDoS, BitTorrent, Tor Relays, VPN… Lots of potential legal issues
Monitors a containers CPU Usage, Disk Space & Bandwidth
Sits on each local server. Means it will have priority thanks to CPU share.
Communicates over unix socket so no bandwidth issues