Contact me: (+353) 86 074 8999 or via LinkedIn
Schedule time with me
Docker + UFW = Hidden trap.
Thanks to the BSI. Good Job!!
I received an emails from the German Federal Office for Information Security (BSI) that said that I have a MongoDB instance exposed in one of my servers. I installed MongoDB using Docker as part of a demo to a friend and I forgot to stop the container. No important information in the database, but was exposed.
But how is possible?
My firewall configuration said that the port 27017 is filtered!
Checking the result of UFW:
~ # ufw status
Status: active
To Action From
-- ------ ----
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)Then? How is possible to access from outside if UFW said that it is filtered?
Checking now Iptables directly:
~ # iptables -L -n | grep 27017
ACCEPT tcp -- 0.0.0.0/0 172.17.0.2 tcp dpt:27017Oh no !!!!! MongoDB is exposed. UFW is a liar!!! I love you. Why are you doing this to me?
Why
- UFW is showing its configuration and not in base of the real state of the Iptables.
- Docker modifies directly the network and Iptables configuration.
The solution
There is a bug open since 18 Mar 2014 (Two years ago). Docker guys looks like don’t take care about this problem or maybe is not a bug, but I think that it is a big security issue that should be highlighted in the documentation. There is not an official response in the thread.
This is a copy & paste from the bug thread that is working for me:
- Set
DEFAULT_FORWARD_POLICY=“ACCEPT”in/etc/default/ufw - Set
DOCKER_OPTS=“—iptables=false”in/etc/default/docker
Links:
https://github.com/docker/docker/issues/4737
Solution from https://github.com/docker/docker/issues/4737#issuecomment-191653053
Reference from the BSI:
- SecurityWeek: Thousands of MongoDB Databases Found Exposed on the Internet
- Shadowserver: Accessible/Open MongoDB NoSQL Server Scanning Project
Versions:
~ # lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.4 LTS
Release: 14.04
Codename: trusty
~ # docker --version
Docker version 1.10.2, build c3959b1