putilov_denis - stock.adobe.com
Boost Docker API security to protect ports
Unguarded Docker APIs can let in unwanted visitors and expose data to hackers. To shield your Docker environment, follow these best practices -- and avoid common pitfalls.
The Docker Engine API is a powerful tool for administrators and developers to manage the Docker environment -- either manually or programmatically.
Readers might use the API without even realizing it: When using the Docker command line, the command passes the request to the Docker daemon by communicating with the Docker API.
How does the Docker API work?
The Docker Engine API enables users to spawn new services, destroy existing ones and everything in between. But, by Docker's own admission, it's an all-or-nothing proposition by default -- those with access to the Docker Linux group can do anything.
Therefore, it is critical that IT organizations monitor and protect the API to control access and prevent attacks. Those IT teams that use the Docker command successfully with privileges can exfiltrate data.
Docker API security
By default, the Docker API is available only via a local loopback address, so it is never exposed beyond the boundaries of the local Docker host. Unfortunately, that doesn't provide protection beyond a small collection of hosts due to the management overhead and lack of a centralized management platform.
To use the system productively, administrators must enable the TCP/IP interfaces. Access control comes from having a secure and trusted certificate authority and limiting trust to clients who present a certificate signed by that same authority.
An alternative -- and less recommended method -- is to use SSH keys. The SSH key integrates into the authentication process and passes to the Docker host when any action is performed. Key management might be burdensome, but it boosts security beyond a username/password combination.
Secure Socket Layer (SSL) is a security protocol that provides end-to-end encryption. The well-known HTTPS on websites derives the "S" from SSL. SSL encryption signs certificates for sites to mathematically prove their identity and can't be forged -- if the signing key is secure -- and keeps third parties out.
Web browsers trust a range of root certificates -- think GoDaddy, Cloudflare or corporate self-managed certificates. These root certificates are included in the browser's certificate store and extend their trustworthiness to certificates by signing them. Because the browser trusts the root certificate, it trusts items the site signs.
What does this have to do with Docker security? Trusted authorities sign the certificates (their identities), providing a trusted method of access verification.
Keep these certificates in a safe location. Should anyone get hold of the certificates, it would create a management nightmare. The Docker client can manage several certificate-based configurations within Docker Contexts.
A security-conscious network configuration restricts which workstations can connect to the management backplane and, thus, access the Docker API.
A separate network for server infrastructure management with restricted access is an additional security strengthening step. Occasionally, administrators will enable access to hosts through a poorly configured front end and expose the ports to the public-facing internet.
Avoid these errors, as it takes only one misconfiguration or zero-day exploit for someone to gain access.
Nmap, an open source scanning tool, has built-in functionality to identify Docker hosts listening on ports 2735 and 2736. Unfortunately, hackers can do the same -- and it's extremely easy to do -- so such configuration errors made in production can compromise the system.
The free version of Docker doesn't include any form of role-based access control (RBAC) management. This means any user who can access the API can use the full breadth of Docker commands. However, later versions of Docker Enterprise Edition (EE) support RBAC, so administrators can restrict which actions users perform in the environment.
For example, IT admins can allow specific users read-only access so they can perform required reporting but cannot change any parts of the environment. For those who don't want to use the EE version, tools such as Portainer provide some semblance or version of RBAC.
Securing the Docker API isn't just one item, but a series of steps to secure the entire infrastructure. A lot of these steps include basic information security best practices, limiting access to well-protected hosts with certificates and correctly configured security measures. Those with Docker EE have more resources available to manage who can do what in the environment.