# Docker Server Security - Saved Configuration **Date**: 2026-02-09 **Server**: docker (192.168.200.200) **Status**: Security updates applied ✅, Firewall configuration ready for execution ## What Was Completed ### ✅ Security Updates Applied (2026-02-09) - **Packages upgraded**: 107 - **Critical updates**: All applied - **Status**: System up to date ```bash # Packages updated include: - openssh-client, openssh-server (security) - systemd, systemd-sysv (security) - libssl3, openssl (critical security) - python3, perl (security) - linux-libc-dev (security) - And 97 more packages ``` ## Pending: Firewall Configuration ### Current State - **Firewall**: ❌ Not configured (currently INACTIVE) - **Risk**: All Docker services exposed to network - **Open Ports**: - 22 (SSH) - 5000, 8000, 8001, 8080, 8081, 8082, 8443, 9000, 11434 (Docker services) ### Recommended Configuration Options #### Option A: Internal Only (Most Secure - Recommended) **Use Case**: Docker services only accessed from internal network ```bash ansible-playbook playbooks/secure-docker-server-firewall.yml -e "firewall_mode=internal" ``` **Result**: - ✅ SSH (22): Open to all - ✅ Docker services: Only accessible from 192.168.200.0/24 - ✅ External web access: Through NPM proxy - 🔒 Direct external access to Docker ports: Blocked #### Option B: Selective External Access **Use Case**: Specific Docker services need external access ```bash # Example: Allow external access to ports 8080 and 9000 ansible-playbook playbooks/secure-docker-server-firewall.yml \ -e "firewall_mode=selective" \ -e "external_ports=8080,9000" ``` **Result**: - ✅ SSH (22): Open to all - ✅ Specified ports (8080, 9000): Open to all - 🔒 Other Docker services: Only internal network #### Option C: Custom Configuration **Use Case**: You need full control 1. Test first: ```bash ansible-playbook playbooks/secure-docker-server-firewall.yml --check ``` 2. Edit the playbook: ```bash nano playbooks/secure-docker-server-firewall.yml # Modify docker_service_ports variable ``` 3. Apply: ```bash ansible-playbook playbooks/secure-docker-server-firewall.yml ``` ## Docker Services Identification These ports were found running on the docker server: | Port | Service | Typical Use | Recommend | |------|---------|-------------|-----------| | 5000 | Docker Registry? | Container registry | Internal only | | 8000 | Unknown | Web service | Internal only | | 8001 | Unknown | Web service | Internal only | | 8080 | Common web | Jenkins/Tomcat/Generic | Via NPM proxy | | 8081 | Unknown | Web service | Internal only | | 8082 | Unknown | Web service | Internal only | | 8443 | HTTPS service | Web service (SSL) | Via NPM proxy | | 9000 | Portainer/SonarQube | Container mgmt | Internal only | | 11434 | Ollama? | AI service | Internal only | **Recommendation**: Use NPM (nginx) at 192.168.200.71 to proxy external web traffic to internal Docker services. ## Pre-Execution Checklist Before running the firewall configuration: - [ ] **Identify required external access** - Which services need to be accessed from outside? - Can they be proxied through NPM instead? - [ ] **Verify NPM proxy setup** - Is NPM configured to proxy to Docker services? - Test internal access first - [ ] **Have backup access** - Ensure you have console access if SSH locks you out - Or run from the server locally - [ ] **Test in check mode first** ```bash ansible-playbook playbooks/secure-docker-server-firewall.yml --check ``` - [ ] **Monitor impact** - Check Docker containers still work - Verify internal network access - Test external access if configured ## Execution Instructions ### Step 1: Decide on firewall mode Ask yourself: 1. Do any Docker services need direct external access? (Usually NO) 2. Are you using NPM proxy for web services? (Recommended YES) 3. Is everything accessed from internal network only? (Ideal YES) ### Step 2: Run the appropriate command **Most Common** (Internal only + NPM proxy): ```bash ansible-playbook playbooks/secure-docker-server-firewall.yml ``` **If you need external access to specific ports**: ```bash ansible-playbook playbooks/secure-docker-server-firewall.yml \ -e "firewall_mode=selective" \ -e "external_ports=8080,9000" ``` ### Step 3: Verify everything works ```bash # Check firewall status ansible docker -m shell -a "ufw status verbose" -b # Check Docker containers still running ansible docker -m shell -a "docker ps" -b # Test SSH access ssh dlxadmin@192.168.200.200 # Test internal network access (from another internal server) curl http://192.168.200.200:8080 # Test services work through NPM proxy (if configured) curl http://your-service.directlx.dev ``` ### Step 4: Make adjustments if needed ```bash # View current rules ansible docker -m shell -a "ufw status numbered" -b # Delete a rule ansible docker -m shell -a "ufw delete " -b # Add a new rule ansible docker -m shell -a "ufw allow from 192.168.200.0/24 to any port 8000" -b ``` ## Rollback Plan If something goes wrong: ```bash # Disable firewall temporarily ansible docker -m ufw -a "state=disabled" -b # Reset firewall completely ansible docker -m ufw -a "state=reset" -b # Re-enable with just SSH ansible docker -m ufw -a "rule=allow port=22 proto=tcp" -b ansible docker -m ufw -a "state=enabled" -b ``` ## Monitoring After Configuration ```bash # Check blocked connections ansible docker -m shell -a "grep UFW /var/log/syslog | tail -20" -b # Monitor active connections ansible docker -m shell -a "ss -tnp" -b # View firewall logs ansible docker -m shell -a "journalctl -u ufw --since '10 minutes ago'" -b ``` ## Next Steps 1. **Review this document** carefully 2. **Identify which Docker services need external access** (if any) 3. **Choose firewall mode** (internal recommended) 4. **Test in check mode** first 5. **Execute the playbook** 6. **Verify services** still work 7. **Document any port exceptions** you added ## Files - Playbook: `playbooks/secure-docker-server-firewall.yml` - This guide: `docs/DOCKER-SERVER-SECURITY.md` - Security audit: `docs/SECURITY-AUDIT-SUMMARY.md` --- **Status**: Ready for execution when you decide **Priority**: High (server currently has no firewall) **Risk**: Medium (breaking services if not configured correctly) **Recommendation**: Execute during maintenance window with console access available