Many sites use Docker for development or to provide automated deployment of software or containers via Gitlab runners or similar solutions. In the past weeks have seen some incidents related to Docker API misconfiguration and would like to address the security measures related to API security.

Exposing Docker API to the public Internet can lead to serious security vulnerabilities, including the installation of malware. Attackers often look for publicly available Docker API endpoints (typically on port 2375, but others exist) and exploit them to gain unauthorised access. Once they have access, they can deploy malicious containers, execute arbitrary commands and install malware.

There have been some recent campaigns where attackers have targeted exposed Docker APIs to deploy cryptojacking malware, such as this one. Attackers scanned for open Docker API ports, queried the Docker version, and then exploited the API to run malicious containers. This allowed them to bind the host’s root directory into the container, giving them extensive control over the host system.

Recommendations to prevent such attacks and to secure your APIs:

  • Restrict API access: avoid exposing the Docker API to the public internet. If remote access is necessary, use a VPN or other secure methods to access the Docker daemon. Configure firewall rules to restrict access to the Docker API to trusted IP addresses only. Expose your Docker API to a private/internal network only.
  • Use TLS for API communication to secure data in transit
  • Run containers as unprivileged users and in user namespaces; using user namespaces reduces the attack surface
  • Patch the software on the host and in the containers regularly
  • Use secure and updated images for containers: run security scans before using them, do not use third-party container images from untrusted or unknown sources.

For APIs in general consider also:

  • Use two-factor authentication where possible.
  • A username, password or token should never appear in the URL.
  • Put APIs on a separate network and monitor network traffic.

See also:
https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html.

https://docs.docker.com/engine/security/