办网站租服务器,做旅游攻略的网站,廊坊微信网站建设,wordpress抓取微信文章一.背景 之前文章maven项目容器化运行之1-基于1Panel软件将docker镜像构建能力分享给局域网_1panel 构建镜像-CSDN博客将1Panel软件的Doocker端口给到了局域网#xff0c;安全组兄弟扫描认为是高危漏洞#xff0c;可能导致攻击者获取对Docker主机的完全控制权。
二.修复的建…一.背景 之前文章maven项目容器化运行之1-基于1Panel软件将docker镜像构建能力分享给局域网_1panel 构建镜像-CSDN博客将1Panel软件的Doocker端口给到了局域网安全组兄弟扫描认为是高危漏洞可能导致攻击者获取对Docker主机的完全控制权。
二.修复的建议 安全组的兄弟给了修复建议 高危2Docker Engine API is accessible without authentication可能导致攻击者获取对Docker主机的完全控制权具体说明Docker守护进程配置不当允许远程访问而没有适当的身份验证。Docker API端口通常是2375或2376暴露。防火墙规则不当允许来自任何IP地址的连接到Docker API端口。可能导致未经授权访问和控制Docker容器。可能导致数据泄露、系统被入侵或被用于恶意目的如挖矿。攻击者可能利用此漏洞在主机上执行任意命令。解决办法1.限制API访问默认情况下禁用远程API访问。如果需要远程访问使用TLS加密和客户端证书认证。2.配置Docker守护进程编辑Docker配置文件通常在 /etc/docker/daemon.json:{ tls: true, tlscert: /path/to/server-cert.pem, tlskey: /path/to/server-key.pem, tlsverify: true, tlscacert: /path/to/ca.pem}3.生成TLS证书使用OpenSSL生成CA、服务器和客户端证书。4.配置防火墙限制只有特定IP地址可以访问Docker API端口。使用 iptables 或云服务提供商的安全组设置。5.使用Unix Socket如果可能优先使用Unix socket而不是TCP端口来与Docker通信。6.更新Docker确保使用最新版本的Docker以获取最新的安全更新。7实施网络隔离使用虚拟私有网络VPN来访问Docker API。 三.选择配置防火墙策略来修复
1.查看我的机器是否可以访问Docker端口
在cmd窗口输入命令 curl -i http://10.1.230.94:2375/version结果如下
C:\Users\Dellcurl -i http://10.1.230.94:2375/version
HTTP/1.1 200 OK
Api-Version: 1.45
Content-Type: application/json
Docker-Experimental: false
Ostype: linux
Server: Docker/26.1.3 (linux)
Date: Tue, 08 Oct 2024 09:07:16 GMT
Content-Length: 848{Platform:{Name:Docker Engine - Community},Components:[{Name:Engine,Version:26.1.3,Details:{ApiVersion:1.45,Arch:amd64,BuildTime:2024-05-16T08:35:20.00000000000:00,Experimental:false,GitCommit:8e96db1,GoVersion:go1.21.10,KernelVersion:3.10.0-1160.105.1.el7.x86_64,MinAPIVersion:1.24,Os:linux}},{Name:containerd,Version:1.6.32,Details:{GitCommit:8b3b7ca2e5ce38e8f31a34f35b2b68ceb8470d89}},{Name:runc,Version:1.1.12,Details:{GitCommit:v1.1.12-0-g51d5e94}},{Name:docker-init,Version:0.19.0,Details:{GitCommit:de40ad0}}],Version:26.1.3,ApiVersion:1.45,MinAPIVersion:1.24,GitCommit:8e96db1,GoVersion:go1.21.10,Os:linux,Arch:amd64,KernelVersion:3.10.0-1160.105.1.el7.x86_64,BuildTime:2024-05-16T08:35:20.00000000000:00}
我在浏览器输入http://10.1.230.94:2375/version也有响应如下
{Platform: {Name: Docker Engine - Community},Components: [{Name: Engine,Version: 26.1.3,Details: {ApiVersion: 1.45,Arch: amd64,BuildTime: 2024-05-16T08:35:20.00000000000:00,Experimental: false,GitCommit: 8e96db1,GoVersion: go1.21.10,KernelVersion: 3.10.0-1160.105.1.el7.x86_64,MinAPIVersion: 1.24,Os: linux}}, {Name: containerd,Version: 1.6.32,Details: {GitCommit: 8b3b7ca2e5ce38e8f31a34f35b2b68ceb8470d89}}, {Name: runc,Version: 1.1.12,Details: {GitCommit: v1.1.12-0-g51d5e94}}, {Name: docker-init,Version: 0.19.0,Details: {GitCommit: de40ad0}}],Version: 26.1.3,ApiVersion: 1.45,MinAPIVersion: 1.24,GitCommit: 8e96db1,GoVersion: go1.21.10,Os: linux,Arch: amd64,KernelVersion: 3.10.0-1160.105.1.el7.x86_64,BuildTime: 2024-05-16T08:35:20.00000000000:00
}
说明我的机器确实可以访问的。我的构建服务器ip是10.1.230.232我本机10.1.210.197、另一个同事机器10.2.125.55。我准备就允许设置这3个IP可以访问Docker的端口。
2.设置防火墙规则
1先明确linux机器用的什么防火墙
一般是用iptables或者firewalld。先通过查看2个命令分别查看服务的状态就知道用的是哪个防火墙了。systemctl status iptables 和 systemctl status firewalld。很明显我机器是firewalld。
[rootlocalhost ~]# systemctl status iptables
Unit iptables.service could not be found.
[rootlocalhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemonLoaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)Active: active (running) since 二 2024-10-08 17:43:49 CST; 28min agoDocs: man:firewalld(1)Main PID: 14565 (firewalld)Tasks: 2Memory: 28.3MCGroup: /system.slice/firewalld.service└─14565 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid10月 08 17:43:48 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
10月 08 17:43:49 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
10月 08 17:43:49 localhost.localdomain firewalld[14565]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
10月 08 17:50:58 localhost.localdomain firewalld[14565]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
10月 08 17:54:06 localhost.localdomain firewalld[14565]: ERROR: INVALID_PROTOCOL: http
10月 08 17:58:15 localhost.localdomain firewalld[14565]: WARNING: ALREADY_ENABLED: rule familyipv4 source address10.1.210.197 port port2375 protocoltcp accept
10月 08 17:58:47 localhost.localdomain firewalld[14565]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
10月 08 18:10:12 localhost.localdomain firewalld[14565]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
2firewalld添加允许访问并重启
#添加3个IP访问2375端口
sudo firewall-cmd --zonepublic --add-rich-rulerule familyipv4 source address10.1.230.232 port port2375 protocoltcp accept --permanent
sudo firewall-cmd --zonepublic --add-rich-rulerule familyipv4 source address10.1.210.197 port port2375 protocoltcp accept --permanent
sudo firewall-cmd --zonepublic --add-rich-rulerule familyipv4 source address10.2.125.55 port port2375 protocoltcp accept --permanent
#重新加载 firewalld 配置
sudo firewall-cmd --reload如果不重启不生效哦
可以输入命令去验证规则
[rootlocalhost zones]# sudo firewall-cmd --zonepublic --list-rich-rules
rule familyipv4 source address10.1.230.232 port port2375 protocoltcp accept
rule familyipv4 source address10.1.210.197 port port2375 protocoltcp accept
rule familyipv4 source address10.2.125.55 port port2375 protocoltcp accept
四.其他问题处理 1.1panel的15021端口访问不了 我的Docker服务器不是自己安装的是在1Panel中带的原来没有启用防火墙我命令输入后启动了防火墙导致我1Panel平台的15021端口里面容器映射的端口都访问不了。所以我手动先输入命令把1panel的15021端口允许任何ip访问。
[rootlocalhost zones]# sudo firewall-cmd --zonepublic --add-port15021/tcp --permanent
success 2.1panel中其他容器映射的端口访问不了 在1panel中添加就行了多个端口可以一次批量添加: 可以在1panel防火墙界面查看当前的规则。也可以像下面这样输入命令查看
[rootlocalhost zones]# firewall-cmd --list-all
public (active)target: defaulticmp-block-inversion: nointerfaces: eth0sources: services: dhcpv6-client sshports: 15021/tcp 22/tcp 80/tcp 443/tcp 14000/tcp 14001/tcp 14002/tcp 14003/tcp 16379/tcpprotocols: masquerade: noforward-ports: source-ports: icmp-blocks: rich rules: rule familyipv4 source address10.1.230.232 port port2375 protocoltcp acceptrule familyipv4 source address10.1.210.197 port port2375 protocoltcp acceptrule familyipv4 source address10.2.125.55 port port2375 protocoltcp accept
