21 lines
1.2 KiB
Plaintext
21 lines
1.2 KiB
Plaintext
Exposing administration services can lead to unauthorized access of containers
|
|
or escalation of privileges inside of containers.
|
|
|
|
A port that is commonly used for administration services is marked as being open
|
|
through the `EXPOSE` command. Administration services like SSH might contain
|
|
vulnerabilities, hard-coded credentials, or other security issues that increase
|
|
the attack surface of a Docker deployment. +
|
|
Even if the ports of the services do not get forwarded to the host system, by
|
|
default they are reachable from other containers in the same network. A
|
|
malicious actor that gets access to one container could use such services to
|
|
escalate access and privileges.
|
|
|
|
Removing the `EXPOSE` command is not sufficient to be secure. The port is still
|
|
open and the service accessible. To be secure, no administration services should
|
|
be started. Instead, try to access the required information from the host system.
|
|
For example, if the administration service is included to access logs or debug
|
|
a service, you can do this from the host system instead. Docker allows you to
|
|
read out any file that is inside of a container and to spawn a shell inside of
|
|
a container if necessary.
|
|
|