Security

Docker + UFW = Hidden trap.

• March 5th 2016
• 2 min read

Thanks to the BSI. Good Job!!

I received an emails from the German Federal Office for Information Security (BSI) that said that I have a MongoDB instance exposed in one of my servers. I installed MongoDB using Docker as part of a demo to a friend and I forgot to stop the container. No important information in the database, but was exposed.

But how is possible?

My firewall configuration said that the port 27017 is filtered!

Checking the result of UFW:

~ # ufw status
Status: active

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
80/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)

Then? How is possible to access from outside if UFW said that it is filtered?

Checking now Iptables directly:

~ # iptables -L -n | grep 27017
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.2           tcp dpt:27017

Oh no !!!!! MongoDB is exposed. UFW is a liar!!! I love you. Why are you doing this to me?

Why

• UFW is showing its configuration and not in base of the real state of the Iptables.
• Docker modifies directly the network and Iptables configuration.

The solution

There is a bug open since 18 Mar 2014 (Two years ago). Docker guys looks like don’t take care about this problem or maybe is not a bug, but I think that it is a big security issue that should be highlighted in the documentation. There is not an official response in the thread.

This is a copy & paste from the bug thread that is working for me:

• Set DEFAULT_FORWARD_POLICY=“ACCEPT” in /etc/default/ufw
• Set DOCKER_OPTS=“—iptables=false” in /etc/default/docker

Links:

https://github.com/docker/docker/issues/4737

Solution from https://github.com/docker/docker/issues/4737#issuecomment-191653053

Reference from the BSI:

• SecurityWeek: Thousands of MongoDB Databases Found Exposed on the Internet
• Shadowserver: Accessible/Open MongoDB NoSQL Server Scanning Project

Versions:

~ # lsb_release -a
No LSB modules are available.
Distributor ID:    Ubuntu
Description:    Ubuntu 14.04.4 LTS
Release:    14.04
Codename:    trusty
~ # docker --version
Docker version 1.10.2, build c3959b1