Learn the best strategies to protect your containers and data.
Joey Miller • Posted September 23, 2023
Docker is not inherently secure by default, especially since the daemon-container architecture runs as
root by default.
There are many ways you can significantly limit the consequences of an attack should one compromise your system via your services/containers.
This post served as my guide when getting started with self-hosting. This list is in no way comprehensive, so let me know in the comments if you have any suggestions to expand this list.
Running Docker without requiring root (administrative) privileges on the host system is one of the first things you should do to enhance security. If an attacker can gain access to an externally-facing Docker container, there is more of a risk that they can escalate to having significant control over the host system. Running Docker
rootless will reduce the potential attack surface.
Although there are some difficulties that this can bring (as it goes against how Docker was initially designed), it is possible to force the Docker daemon to run as a non-root user. See my guide about dealing with the caveats of rootless docker.
Alternatively, consider replacing Docker with Podman. Podman is interoperable (OCI-compatible) but has a different architecture - it does not have a central
root daemon. Podman containers are spawned as child processes of the user.
A reverse proxy is a service that acts as an intermediary between the client (requester) and the web services. A reverse proxy will be responsible for forwarding the client requests to the backend services. It offers several security and performance benefits, which include:
fail2ban (described in more detail below).
As mentioned prior, tools such as Crowdsec or fail2ban are designed to protect systems from unauthorized access. They do this by monitoring log files for suspicious or threatening behaviour. They can mitigate these attacks by taking action such as using the host firewall to temporarily block the offending IP address.
If you don't care about the mitigation functionality, using a tool like Grafana allows you to monitor various network-related metrics and data. This would provide more visibility to the threats you are facing.
All of these tools are available as Docker containers, making them a fairly easy way to manage external threats.
Outdated Docker images may contain bugs or vulnerabilities that can be prevented by running the latest versions.
There are a couple of ways you can stay up to date:
docker-compose.yml files. If your infrastructure is version-controlled (i.e. in
git), consider a tool like Renovate. This will enable you to get automated pull requests to update any outdated images.
Isolated container networking helps prevent malicious or compromised containers from directly communicating with other containers (or the host system).
There are many methods, but some of the ways you might go about this include:
host networking. Docker
host networking removes any isolation between the container and the host.
iptables to only allow traffic to/from some containers. Otherwise, some tools (such as
trafficjam) exist that can simplify this.
Additionally, consider limiting internet access for containers that do not require it. This reduces the number of potential entry points for attackers.
docker network create --driver bridge isolated_network
docker run --network isolated_network --name my_container imagename
Make sure you take regular backups of your Docker data. Any persistent data should be saved in a volume-mount or a host-mount. By regularly backing up this data you ensure that critical data is protected, and you can rapidly restore your services in the event of an issue/corruption/security incident.
Following the principle of least privilege, make sure that only volumes/mounts that need write access on the host are permitted to do so.
Note: Where possible, you should also avoid exposing
To ensure a running container does not consume too many of the host machine's resources, Docker allows you to set limits. This can provide some mitigation of DoS attacks, and provide fairer resource allocation across containers.
Docker allows for resource constraints such as:
For more information and other techniques to secure your Docker architecture have a read of the Docker OWASP cheat sheet.
If you found this post helpful, please share it around: