Securing your Docker Containers : An Overview
First off, I am going to start by telling you about Docker.
So what docker essentially does is,it basically allows you to build and deploy application services in the form of containers. It utilizes the Host’s OS Kernel as opposed to hypervisors like VM’s.
By default, the containers contain the dependencies/libraries that the application/service needs, to run.
Rather than having different applications on different VM’s, the docker containers utilize their host kernel, so there is minimal resource consumption from the Host.
Now, lets see how this diagram differentiates Dockers and VMs :
So, taking Docker -
In the first layer, we have Infrastructure which is the hardware or the Host’s hardware on which Docker is running. The second layer is the Host operating System which can be essentially anything but in most cases, it is going to be Linux. On top of that is the Docker layer and then the various applications.
Whats differentiating on the VM side is that for each of the Virtual Machines, it is necessary to setup their Guest Operating System which means a lot of usage of resources but in case of Docker, it is using the host Operating System Kernel ,which essentially saves resources.
Next let’s move onto securing containers.
So if we see the CVE’s that have been discovered for Docker. You see these are very less. Like from 2014 to 2021, there are only a total of 34 vulnerabilities. So they are doing a great work in securing Docker. But it’s always better to be safe than sorry.
Why securing Containers is important?
It is important because the container image contains all the components that will eventually be running your app right? So if there are vulnerabilities existing in the container image, the risk and potential severities of security issues during production increases. This in turn will lead to monitoring production as well which is totally unnecessary.
Threats to Container Security
- Data Breaches : This is the most common threat. There was this data breach in 2019 where a data of 1,90,000 users on docker was compromised. Link to the article — https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/docker-hub-repository-suffers-data-breach-190-000-users-potentially-affected
- Container Image Vulnerabilities : So if your container image hasn’t been updated to the latest version or has vulnerabilities in the latest version, obviously it is going to be dangerous to deploy apps on it.
- Network Exposure : If you read my previous story about OSINT, you would know whatever devices you connect to the internet, you are exposing more attack surface for a hacker to attack. One search engine to search for IoT devices is Shodan. So if we search for Docker on it —
And if I click on the arrow for the first result, it redirects me to a site with a login page.
This is very dangerous and can be easily bruteforced.
So the strongest type of container is one that doesn’t allow network traffic. These are called closed containers and the processes that run on these containers will have access to only the loopback interface. So it will just communicate with itself using the loopback address.
- Misconfigured Containers : This refers to the containers which haven’t been configured properly. So there was this attack that took place when hackers exploited a misconfigured Docker API port to execute on a Ubuntu container with the kinsing Malware, which then resulted to running a crypto mining software and eventually spreading the malware to other containers.
PS -There are obviously many more threats to Docker (or Containers) but I have discussed only the more common ones.
Some Best Practices for Container Security
- Restrict Container privileges at runtime - So containers typically run as a user with root privileges. And it is normal as it requires to run various system operations. But running containers with root privileges introduces a major security risk in that it enables attackers to leverage privilege escalation within the container which can be really dangerous.
So basically to solve this, it’s as simple as running containers as non root users . - Automate Vulnerability Scanning and Management - Vulnerability scanning for Docker local images allows developers and development teams to review the security state of the container images and take actions to fix issues identified during the scan, resulting in more secure deployments. Some tools used are Clair, Anchore and Dagda.
- Setting up real time Monitoring and Alerting — Containers are ephemeral in nature, which means stateless. You need to collect the metrics and logs and send them to a centralized location right away for safekeeping. Otherwise, they get deleted once the container is deleted. Hence why it’s more challenging than conventional VMs and servers. Monitoring such an infrastructure setup is a must and a critical step in ensuring the optimal performance of your containers.
- Manage Secrets Securely -This means to avoid storing secrets and credentials in configuration files . Otherwise, this sensitive data will be copied to containers and cached in intermediate container layers even when the container is removed. So it just remains there which can be pretty dangerous.
In conclusion, container security is a critical aspect of deploying and managing containers in production environments. Ensuring the security of containers requires addressing multiple security concerns, such as vulnerability management, network security, data protection, and compliance.
Connect with me on Linkedin : https://www.linkedin.com/in/aayush-dasgupta/