Hi! I'm looking for a remote work.
If you are looking for a Senior Software Engineer or Solution Architect, let me know.

Docker + UFW = Hidden trap.

Thanks to the BSI. Good Job!!

I received an emails from the German Federal Office for Information Security (BSI) that said that I have a MongoDB instance exposed in one of my servers. I installed MongoDB using Docker as part of a demo to a friend and I forgot to stop the container. No important information in the database, but was exposed.

But how is possible?

My firewall configuration said that the port 27017 is filtered!

Checking the result of UFW:

1
2
3
4
5
6
7
8
9
 ~ # ufw status
Status: active

To Action From
-- ------ ----
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)

Then? How is possible to access from outside if UFW said that it is filtered?

Checking now Iptables directly:

1
2
~ # iptables -L -n | grep 27017
ACCEPT tcp -- 0.0.0.0/0 172.17.0.2 tcp dpt:27017

Oh no !!!!! MongoDB is exposed. UFW is a liar!!! I love you. Why are you doing this to me?

Why

  • UFW is showing its configuration and not in base of the real state of the Iptables.
  • Docker modifies directly the network and Iptables configuration.

The solution

There is a bug open since 18 Mar 2014 (Two years ago). Docker guys looks like don't take care about this problem or maybe is not a bug, but I think that it is a big security issue that should be highlighted in the documentation. There is not an official response in the thread.

This is a copy & paste from the bug thread that is working for me:

  • Set DEFAULT_FORWARD_POLICY="ACCEPT" in /etc/default/ufw
  • Set DOCKER_OPTS="--iptables=false" in /etc/default/docker

Links:

https://github.com/docker/docker/issues/4737

Solution from https://github.com/docker/docker/issues/4737#issuecomment-191653053

Reference from the BSI:

Versions:

1
2
3
4
5
6
7
8
~ # lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.4 LTS
Release: 14.04
Codename: trusty
~ # docker --version
Docker version 1.10.2, build c3959b1
Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×