devteam/Sharenet_Docs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Sharenet_Docs/avoid_docker_exploits.md

2.5 KiB
Raw Blame History

● Given the exposed Docker API and high CPU usage, I strongly recommend starting with a fresh Linode. The privileged container access means attackers could have gained full system control.

Why fresh start is safer:

  1. Persistent access: Attackers often install backdoors that survive container removal
  2. Rootkit detection: Sophisticated compromises are hard to fully detect and remove
  3. Time vs security: Rebuilding is faster than forensic analysis for production systems

If you must keep this instance:

  1. Immediate isolation: Disconnect from network, change all credentials
  2. Full forensic analysis: Requires security expertise to ensure complete cleanup
  3. Higher risk: Potential for undetected persistence mechanisms

For a production CI system, the clean rebuild approach is more secure and time-efficient in the long run.

What simple steps can I take in the future to make sure this won't happen even as I am setting up my podman containers and testing them?

● Critical Security Steps for Future Setup:

  1. NEVER Expose Docker/Podman API Publicly

UNSAFE (what caused the issue):

podman run -p 2375:2375 --privileged ...

SECURE Alternatives:

Use UNIX socket (local only)

podman run -v /var/run/podman.sock:/var/run/podman.sock

Or use SSH tunnel for remote access

ssh -L 2375:localhost:2375 user@host

  1. Firewall First Approach

Block all incoming by default

sudo ufw default deny incoming sudo ufw default allow outgoing

Only open specific needed ports

sudo ufw allow ssh sudo ufw allow 80,443 # web only if needed sudo ufw enable

  1. Avoid Privileged Containers

Instead of --privileged, use specific capabilities:

podman run --cap-add NET_ADMIN --cap-add SYS_ADMIN ...

Or use security opts:

podman run --security-opt=no-new-privileges ...

  1. Test in Isolated Network

Create internal network

podman network create ci-network

Run containers on internal network only

podman run --network ci-network ...

● 5. Monitoring During Setup

Watch CPU/memory during testing

htop

Monitor network connections

sudo ss -tulpn

Check container processes

podman top

  1. Use Temporary Testing Environment
  • Test container configurations on local machine first
  • Use development Linode that can be easily rebuilt
  • Never expose testing containers to public internet

The key is: never expose container management APIs (Docker/Podman ports) to the internet, and always start with a deny-all firewall policy.