Recently I have encountered a cyber attack in one of the projects. This attack is mostly happening in container based environments. A Malicious container gets deployed in the docker environment that consumes the complete system resources and kills all the deployed applications.
These malicious containers are mainly used for purposes like bitcoin mining and other external attacks. So we need to be extremely careful while using docker images and maintaining docker environments.
Based on my experience, I have prepared a checklist to ensure security in the application and deployment environments.
- Do not use any untrusted container registries
- Always use project specific private registries for storing docker images.
- Always secure your registries by enabling authentication and TLS communication. Never expose insecure communication from the registries.
- Do not use images from untrusted providers that are present in public registries like DockerHub. I have identified several vulnerable images in DockerHub which has names similar to commonly used images.
- Always assess the image contents by analyzing the script inside the Docker file.
- Always ensure that you are using a trusted and secure base image to build the application images. Store these base images in your project specific private registries.
- Periodically review the images present in your docker registry and watch for any unknown updates and images.
- Handle the registry credentials properly. Use secrets or key vault to store registry credentials.
- Never expose Docker API to public network. Always enable TLS in the docker API
- Do not run application in privileged docker containers
- Always enforce resource constraints in the application workload and namespace.
- Restrict the access to registries only from the deployment and build environments.
- Ensure to enable only the inbound and outbound traffic from trusted sources and to trusted destinations. Never keep the access open to the entire internet.
There are ready made frameworks that can generate malicious code that can run on various platforms and grab the complete control of the system remotely. I am not posting the details of those frameworks to the broader group. Those frameworks can create big damage to your entire system. It is always to take preventative measures rather than applying curing techniques after getting affected.
I hope my message is clear. Feel free to comment if you have any questions or suggestions.