< Return to Blog

HOWTO Secure Docker & Prevent Leaking Access to Hackers

Docker needs to be configured to prevent leaking container ports to the outside world and there are two approaches, depending on your version of Ubuntu installed.

For sysvinit and upstart based systems, you can edit /etc/default/docker and change the docker options ENV var to DOCKER_OPTS="-r=false --iptables=false".

Since I'm using Ubuntu v16.x LTS running systemd I performed the following

$ mkdir /etc/systemd/system/docker.service.d
$ cat << EOF > /etc/systemd/system/docker.service.d/noiptables.conf
ExecStart=/usr/bin/docker daemon -H fd:// --iptables=false

$ service docker restart

Initially, nmap reported this port as open 6379/tcp open unknown, however, with the above service drop-in activated by restarting the docker service and ensuring ufw is active, this port is now shown as filtered (since ufw blocks all non-whitelisted inbound access) —

-> % ufw allow 22/tcp
-> % ufw enable

-> % nmap -P0 128.xxx.xxx.xx -p 6379

Starting Nmap 7.12 ( https://nmap.org ) at 2017-03-01 18:32 IST
Nmap scan report for 128.xxx.xxx.xx
Host is up.
6379/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 2.10 seconds