How to get public access to Docker on AWS and secure it from hackers and attackers

  • This topic is empty.
  • Post
    • December 21, 2024 at 6:01 am
    Weekend Wiki
    Keymaster
    To get public access to Docker on AWS and secure it from hackers and attackers, you need to take specific steps to expose Docker services safely and implement security measures to protect them.

    1. Expose Docker to the Public via AWS

    Option 1: Expose Docker via EC2 Instance (Basic Setup)

    If you’re running Docker on an EC2 instance and want to expose it publicly:

    1. Launch EC2 Instance
      • Launch an EC2 instance with an OS like Amazon Linux or Ubuntu.
      • Ensure you choose an instance type that meets your needs and configure your security group.
    2. Security Group Configuration
      • In the EC2 Security Group, allow public access to the Docker port (e.g., HTTP port 80 or custom ports for other services).
      • You can set specific ports based on the services you want to expose.
        • For HTTP: Open port 80 (if using a web server inside a container).
        • For custom Docker services: Open a specific port like 2375 (Docker remote API).

      Example rule:

      • Type: Custom TCP Rule
      • Protocol: TCP
      • Port Range: 2375 (Docker remote API)
      • Source: 0.0.0.0/0 (allows access from anywhere, or restrict to specific IPs for better security).
    3. Enable Docker Remote API
      • If you want to expose Docker’s remote API (via port 2375), modify the Docker configuration: 
        sudo nano /etc/docker/daemon.json

        Add the following:

        {
  "hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]
}
      • Restart Docker: 
        sudo systemctl restart docker
    4. Access Docker Remotely
      • Now, from any system, you can access Docker remotely with: 
        docker -H tcp://<ec2-public-ip>:2375 ps

    2. Securing Docker Access from Hackers and Attackers

    Exposing Docker remotely comes with risks. To minimize potential threats, you must secure the Docker API and the instance where Docker is running. Here’s how:

    a. Use Docker API Over TLS/SSL for Encryption

    The Docker remote API is unencrypted by default. To secure it with TLS, follow these steps:

    1. Generate SSL Certificates for the Docker API: You can generate the necessary certificates using OpenSSL:
      • Generate CA certificate: 
        openssl genrsa -out /etc/docker/ca-key.pem 2048
openssl req -new -x509 -key /etc/docker/ca-key.pem -out /etc/docker/ca.pem -days 3650
      • Generate server certificate: 
        openssl genrsa -out /etc/docker/server-key.pem 2048
openssl req -new -key /etc/docker/server-key.pem -out /etc/docker/server.csr
openssl x509 -req -in /etc/docker/server.csr -CA /etc/docker/ca.pem -CAkey /etc/docker/ca-key.pem -CAcreateserial -out /etc/docker/server-cert.pem -days 3650
    2. Configure Docker to Use TLS Modify the Docker daemon configuration file (/etc/docker/daemon.json): 
      {
  "hosts": ["tcp://0.0.0.0:2376", "unix:///var/run/docker.sock"],
  "tls": true,
  "tlscert": "/etc/docker/server-cert.pem",
  "tlskey": "/etc/docker/server-key.pem",
  "tlsca": "/etc/docker/ca.pem"
}
    3. Restart Docker: 
      sudo systemctl restart docker
    4. Connect to Docker with TLS When accessing Docker remotely, ensure you’re using the proper certificates: 
      docker -H tcp://<ec2-public-ip>:2376 --tlsverify --tlscacert=/path/to/ca.pem --tlscert=/path/to/cert.pem --tlskey=/path/to/key.pem ps

    b. Restrict Access to Docker API via Firewalls

    If you’re exposing Docker’s remote API on port 2375 or 2376, it’s critical to restrict access. Use AWS Security Groups or a firewall to only allow trusted IPs.

    1. Use a Security Group:
      • Restrict the Source IP in your Security Group to only allow specific IP addresses or ranges that should be able to connect to Docker remotely.
      • For example, instead of 0.0.0.0/0, you can set a specific IP or a range of trusted IPs.
    2. Use a VPN or SSH Tunnel: For added security, avoid exposing the Docker API directly to the internet. You can:
      • Set up a VPN (e.g., OpenVPN or WireGuard) to connect securely to your EC2 instance and access Docker from within the private network.
      • Alternatively, use an SSH tunnel to securely forward ports to access the Docker API: 
        ssh -L 2375:localhost:2375 -i /path/to/key.pem ec2-user@<ec2-public-ip>
docker -H tcp://localhost:2375 ps

    c. Enable Docker Authentication and Authorization

    Docker doesn’t provide built-in authentication and authorization mechanisms for remote API access. Here are options to improve security:

    1. Use a Reverse Proxy (e.g., Nginx or HAProxy): Set up a reverse proxy like Nginx to handle incoming requests and provide basic authentication or integrate with an identity provider.
    2. Docker Content Trust (DCT): Enable Docker Content Trust to verify image signatures, ensuring that only signed and trusted images are pulled: 
      export DOCKER_CONTENT_TRUST=1
    3. Restrict Docker Container Capabilities: Limit the capabilities of containers, especially those running privileged containers. Use Docker’s security features like:
      • Docker User Namespaces: Isolate the container’s root user from the host’s root.
      • AppArmor/SELinux: Set security profiles to restrict container actions.
      • Seccomp: Use custom security policies to limit the system calls containers can make.

    d. Monitor Docker and Instance Security

    1. Enable Docker Logs: Docker logs can provide insights into security issues. Monitor logs for unusual activity, such as unauthorized access attempts.
      • View Docker logs: 
        sudo journalctl -u docker
    2. Use AWS CloudWatch: Set up CloudWatch Logs to monitor Docker-related logs and send alerts in case of suspicious activity.
    3. Use Docker Security Scanning: Use Docker Hub‘s built-in vulnerability scanning for images, or use third-party tools like Clair or Anchore to scan Docker images for vulnerabilities before deployment.
    4. Regular Updates and Patching: Ensure that Docker and your EC2 instance’s operating system are regularly updated with the latest security patches.

    3. Best Practices for Secure Docker Deployment

    • Avoid running Docker as root: Run Docker with a non-root user and add the user to the Docker group.
    • Limit container capabilities: Use --cap-drop and --cap-add options to restrict container capabilities.
    • Use private registries: For production, use Amazon ECR or other private Docker registries to store your images securely.

    By following these steps, you can expose Docker services to the public securely and reduce the risk of attacks and vulnerabilities.

    Let me know if you need further clarification on any of these steps!

  • You must be logged in to reply to this topic.
en_USEnglish
arArabic en_USEnglish