Docker API远程访问TLS一键加密
背景:阿里云服务器部署docker免密开放tcp导致挖矿、DOSS带来的服务器警告风险!!!
Docker Remote API因配置不当可以未授权访问,被攻击者恶意利用。
攻击者无需认证访问到Docker数据,可能导致敏感信息泄露,黑客也可以恶意删除Docker上的数据。
攻击者可进一步利用Docker自身特性,直接访问宿主机上的敏感信息,或对敏感文件进行修改,最终完全控制服务器。
防范漏洞DOSS攻击--全网唯一正确脚本
1、在合适的目录下新建脚本:mkdir /usr/local/ca vim ca.sh
#!/bin/bash
SERVER="自己服务器的外网ip"
PASSWORD="yangyanbin"
COUNTRY="CN"
STATE="shanghai"
CITY="shanghai"
ORGANIZATION="yangyanbin"
ORGANIZATIONAL_UNIT="pro"
EMAIL="23232423112@qq.com"
echo "starting..."
cd /usr/local/ca
openssl genrsa -aes256 -passout pass:$PASSWORD -out ca-key.pem 4096
openssl req -new -x509 -passin "pass:$PASSWORD" -days 3650 -key ca-key.pem -sha256 -out ca.pem -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$SERVER/emailAddress=$EMAIL"
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=$SERVER" -new -key server-key.pem -out server.csr
sh -c 'echo "subjectAltName = IP:'$SERVER',IP:0.0.0.0" >> extfile.cnf'
sh -c 'echo "extendedKeyUsage = serverAuth" >> extfile.cn'
sh -c 'echo "extendedKeyUsage = serverAuth" >> extfile.cnf'
openssl x509 -req -days 3650 -in server.csr -CA ca.pem -CAkey ca-key.pem -passin "pass:$PASSWORD" -CAcreateserial -out server-cert.pem -extfile extfile.cnf
openssl genrsa -out key.pem 4096
openssl req -subj "/CN=client" -new -key key.pem -out client.csr
sh -c 'echo extendedKeyUsage=clientAuth >> extfile-client.cnf'
openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -passin "pass:$PASSWORD" -CAcreateserial -out cert.pem -extfile extfile-client.cnf
rm client.csr server.csr
cp server-*.pem /etc/docker/
cp ca.pem /etc/docker/
echo "========end========"
2、执行脚本
[root@yangyb mydocker]# sh ca.sh
starting...
Generating RSA private key, 4096 bit long modulus
.........................................................................................++
....................................++
e is 65537 (0x10001)
Generating RSA private key, 4096 bit long modulus
................................++
..............................................................................................++
e is 65537 (0x10001)
Signature ok
执行该[shell脚本)后,会在/usr/local/ca目录下生成
4、修好docker.service配置:vim /lib/systemd/system/docker.service
#ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/usr/local/ca/ca.pem --tlscert=/usr/local/ca/server-cert.pem --tlskey=/usr/local/ca/server-key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock
6、重启服务
systemctl daemon-reload
systemctl restart docker
7、查看执行状态
[root@yangyb pem]# systemctl status docker
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
Active: active (running) since 三 2023-11-01 16:23:07 CST; 11s ago
Docs: https://docs.docker.com
Main PID: 1616 (dockerd)
Tasks: 7
Memory: 26.4M
CGroup: /system.slice/docker.service
└─1616 /usr/bin/dockerd --tlsverify --tlscacert=/root/tls/pem/ca.pem --tlscert=/root/tls/pem/server-cert.pem --tlskey=/root/tl..
8、开放端口号
# 开放2376端口
检查防火墙放行端口号
firewall-cmd --zone=public --list-ports
添加docker端口
firewall-cmd --zone=public --add-port=2376/tcp --permanent
更新防火墙规则
firewall-cmd --reload
8、现在使用docker remote api 远程连接 --无认证 (进入:/usr/local/ca)
[root@yangyb ca]# docker --tlsverify -H=39.101.165.196:2376 version
....
error during connect: Get "https://39.101.165.196:2376/v1.24/version": tls: failed to verify certificate: x509: certificate signed by unknown authority
9、携带认证方式:ok
[root@yangyb ca]# docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=39.101.165.196:2376 version
Client: Docker Engine - Community
Version: 24.0.7
API version: 1.43
Go version: go1.20.10
10、将服务的ca目录下的证书下载到本地电脑中
11、在IDEA的docker插件中配置连接信息
相关问题:
2、如何开启 Docker Remote API的TLS 认证,并在 Portainer 上进行配置
www.xukecheng.tech/how-to-enab…
