6.3 KiB
Docker Server Security - Saved Configuration
Date: 2026-02-09 Server: docker (192.168.200.200) Status: Security updates applied ✅, Firewall configuration ready for execution
What Was Completed
✅ Security Updates Applied (2026-02-09)
- Packages upgraded: 107
- Critical updates: All applied
- Status: System up to date
# Packages updated include:
- openssh-client, openssh-server (security)
- systemd, systemd-sysv (security)
- libssl3, openssl (critical security)
- python3, perl (security)
- linux-libc-dev (security)
- And 97 more packages
Pending: Firewall Configuration
Current State
- Firewall: ❌ Not configured (currently INACTIVE)
- Risk: All Docker services exposed to network
- Open Ports:
- 22 (SSH)
- 5000, 8000, 8001, 8080, 8081, 8082, 8443, 9000, 11434 (Docker services)
Recommended Configuration Options
Option A: Internal Only (Most Secure - Recommended)
Use Case: Docker services only accessed from internal network
ansible-playbook playbooks/secure-docker-server-firewall.yml -e "firewall_mode=internal"
Result:
- ✅ SSH (22): Open to all
- ✅ Docker services: Only accessible from 192.168.200.0/24
- ✅ External web access: Through NPM proxy
- 🔒 Direct external access to Docker ports: Blocked
Option B: Selective External Access
Use Case: Specific Docker services need external access
# Example: Allow external access to ports 8080 and 9000
ansible-playbook playbooks/secure-docker-server-firewall.yml \
-e "firewall_mode=selective" \
-e "external_ports=8080,9000"
Result:
- ✅ SSH (22): Open to all
- ✅ Specified ports (8080, 9000): Open to all
- 🔒 Other Docker services: Only internal network
Option C: Custom Configuration
Use Case: You need full control
-
Test first:
ansible-playbook playbooks/secure-docker-server-firewall.yml --check -
Edit the playbook:
nano playbooks/secure-docker-server-firewall.yml # Modify docker_service_ports variable -
Apply:
ansible-playbook playbooks/secure-docker-server-firewall.yml
Docker Services Identification
These ports were found running on the docker server:
| Port | Service | Typical Use | Recommend |
|---|---|---|---|
| 5000 | Docker Registry? | Container registry | Internal only |
| 8000 | Unknown | Web service | Internal only |
| 8001 | Unknown | Web service | Internal only |
| 8080 | Common web | Jenkins/Tomcat/Generic | Via NPM proxy |
| 8081 | Unknown | Web service | Internal only |
| 8082 | Unknown | Web service | Internal only |
| 8443 | HTTPS service | Web service (SSL) | Via NPM proxy |
| 9000 | Portainer/SonarQube | Container mgmt | Internal only |
| 11434 | Ollama? | AI service | Internal only |
Recommendation: Use NPM (nginx) at 192.168.200.71 to proxy external web traffic to internal Docker services.
Pre-Execution Checklist
Before running the firewall configuration:
-
Identify required external access - Which services need to be accessed from outside? - Can they be proxied through NPM instead?
-
Verify NPM proxy setup - Is NPM configured to proxy to Docker services? - Test internal access first
-
Have backup access - Ensure you have console access if SSH locks you out - Or run from the server locally
-
Test in check mode first
bash ansible-playbook playbooks/secure-docker-server-firewall.yml --check -
Monitor impact - Check Docker containers still work - Verify internal network access - Test external access if configured
Execution Instructions
Step 1: Decide on firewall mode
Ask yourself:
- Do any Docker services need direct external access? (Usually NO)
- Are you using NPM proxy for web services? (Recommended YES)
- Is everything accessed from internal network only? (Ideal YES)
Step 2: Run the appropriate command
Most Common (Internal only + NPM proxy):
ansible-playbook playbooks/secure-docker-server-firewall.yml
If you need external access to specific ports:
ansible-playbook playbooks/secure-docker-server-firewall.yml \
-e "firewall_mode=selective" \
-e "external_ports=8080,9000"
Step 3: Verify everything works
# Check firewall status
ansible docker -m shell -a "ufw status verbose" -b
# Check Docker containers still running
ansible docker -m shell -a "docker ps" -b
# Test SSH access
ssh dlxadmin@192.168.200.200
# Test internal network access (from another internal server)
curl http://192.168.200.200:8080
# Test services work through NPM proxy (if configured)
curl http://your-service.directlx.dev
Step 4: Make adjustments if needed
# View current rules
ansible docker -m shell -a "ufw status numbered" -b
# Delete a rule
ansible docker -m shell -a "ufw delete <NUMBER>" -b
# Add a new rule
ansible docker -m shell -a "ufw allow from 192.168.200.0/24 to any port 8000" -b
Rollback Plan
If something goes wrong:
# Disable firewall temporarily
ansible docker -m ufw -a "state=disabled" -b
# Reset firewall completely
ansible docker -m ufw -a "state=reset" -b
# Re-enable with just SSH
ansible docker -m ufw -a "rule=allow port=22 proto=tcp" -b
ansible docker -m ufw -a "state=enabled" -b
Monitoring After Configuration
# Check blocked connections
ansible docker -m shell -a "grep UFW /var/log/syslog | tail -20" -b
# Monitor active connections
ansible docker -m shell -a "ss -tnp" -b
# View firewall logs
ansible docker -m shell -a "journalctl -u ufw --since '10 minutes ago'" -b
Next Steps
- Review this document carefully
- Identify which Docker services need external access (if any)
- Choose firewall mode (internal recommended)
- Test in check mode first
- Execute the playbook
- Verify services still work
- Document any port exceptions you added
Files
- Playbook:
playbooks/secure-docker-server-firewall.yml - This guide:
docs/DOCKER-SERVER-SECURITY.md - Security audit:
docs/SECURITY-AUDIT-SUMMARY.md
Status: Ready for execution when you decide Priority: High (server currently has no firewall) Risk: Medium (breaking services if not configured correctly) Recommendation: Execute during maintenance window with console access available