Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker security strengthening #29

Open
1 of 4 tasks
giohappy opened this issue Jan 8, 2021 · 0 comments
Open
1 of 4 tasks

Docker security strengthening #29

giohappy opened this issue Jan 8, 2021 · 0 comments
Assignees
@bieganowski
Labels
Epic

Comments

@giohappy
Copy link

giohappy commented Jan 8, 2021
edited by bieganowski
Loading

We want to review and fix the security flaws with Docker and Docker Compose for GeoNode, starting from the reports recently done by Toni (GeoNode community member).
For the moment we have the following tasks to be done:

Here below the full report (sent by email) is reported:

Some days ago the Sysadmin of a client informed me regarding a 100% usage
of a Vm running only GeoNode. After checking the running processes I've found an infection
with a cryptominer called kinsing.

Read technical Details here:
https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability

And here my log, how I've stopped and cleaned the process:
https://gist.github.com/t-book/d28bea5918c1e92ca84e0ed879a8588anot run as root

The main entrypoints of Kinsing is a not secured Docker API Port further
a not secured Redis Container/Account. Both did not match with my standard
GeoNode Project Stack.

After some resarch (yes on christmas eve :/ ) I'm nearly 100% sure to found
the entrypoint in geonode/postgis container. It looks due to an open port 5432
it was possible to inject malware by most likely one of these two expolits

https://www.cvedetails.com/vulnerability-list/vendor_id-336/product_id-575/version_id-276732/year-2019/opec-1/Postgresql-Postgresql-11.2.html

The fatal part about it is most processes within the containers run as root.
Which is root on host. You can easily test this as shown here:
https://suraj.io/post/root-in-container-root-on-host/

This made it possible to gain access to the host server install a cronjob
and run the miner. Ah yes and the miner also tries to steel ssh keys and
spreads on other VMs :/

My recommendation:

  • we should update our postgis image (newer version of mdillon/postgis) with consideration of the CVE page
  • be careful when opening port 5432 for public (Unsure if it would be good to inform the community)
  • if you need access to postgis from outside bind it to localhost (127.0.0.1:5432:5432) and use a SSH Tunnel
  • prevent root access from containers to host by running the daemon in rootless mode or user_namespaced
    https://docs.docker.com/engine/security/rootless/
    You should configure it initially, be prepared that the performance tab of the monitoring app might not work anymore (just a guess)
    If one of you is interested I will share my experiences how I've reconfigured our instances (start of next year) user_namespaced
    (Maybe we should also mention rootless mode in docs as well)
  • we should check if it would be worth to rework some Dockerfiles to run as a less priviliged user
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bieganowski bieganowski

Labels
Epic
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@giohappy @bieganowski