A Docker footgun led to a vandal deleting NewsBlur's MongoDB database

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Docker ufw Ubuntu Debian Linux

InfluxDB
Our great sponsors
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • WorkOS - The modern identity platform for B2B SaaS
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • Moby

    The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems

    • Props to the developer for being this open and letting others learn and discuss the implications of this situation! I rather enjoyed the original discussion as well, even though the situation itself was unfortunate: https://news.ycombinator.com/item?id=27613217

    I agree with the other posters, that Docker can cause problems with firewalls, as pointed out both in the article, in the GitHub issue, and in the other thread as well: https://github.com/moby/moby/issues/4737

    Furthermore, it also seems to me, that not only Docker should respect the firewall rules (even though it'd confuse another group of people about why their services aren't accessible externally and would necessitate manual firewall rule management, short of some explicit way to do that, such as docker run ... -p 80:3000 --expose-in-firewall 80 ...) and that MongoDB also should have secure defaults, as any other piece of software!

    That said, at least to me it appears that Docker Compose, Docker Swarm and other technologies have attempted to introduce a networking abstraction to allow running services (more) securely and privately, by not exposing their ports on the host directly.

    For example, see the following example of a Compose file, which would only expose a web server to the world:

      version: '3.4'

  • ufw-docker-automated

    Manage docker containers firewall with UFW!

    • Luckily it was about as hardened as regular ftp can be, but I noticed the problem when my service wasn't able to log in as the (very low) connection limit was filled by someone attempting passwords.

    I've been using https://github.com/shinebayar-g/ufw-docker-automated to make docker compliant with UFW, and defining firewall rules as labels for the containers.

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • ufw-docker

    To fix the Docker and UFW security flaw without disabling iptables

    • I have talked about this before. This is completely non standard behavior, but the way the docker team simply washes their hands is incredible.

    https://github.com/chaifeng/ufw-docker/issues/31

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts