237 lines
6.3 KiB
Markdown
237 lines
6.3 KiB
Markdown
# Docker Server Security - Saved Configuration
|
|
|
|
**Date**: 2026-02-09
|
|
**Server**: docker (192.168.200.200)
|
|
**Status**: Security updates applied ✅, Firewall configuration ready for execution
|
|
|
|
## What Was Completed
|
|
|
|
### ✅ Security Updates Applied (2026-02-09)
|
|
|
|
- **Packages upgraded**: 107
|
|
- **Critical updates**: All applied
|
|
- **Status**: System up to date
|
|
|
|
```bash
|
|
# Packages updated include:
|
|
- openssh-client, openssh-server (security)
|
|
- systemd, systemd-sysv (security)
|
|
- libssl3, openssl (critical security)
|
|
- python3, perl (security)
|
|
- linux-libc-dev (security)
|
|
- And 97 more packages
|
|
```
|
|
|
|
## Pending: Firewall Configuration
|
|
|
|
### Current State
|
|
|
|
- **Firewall**: ❌ Not configured (currently INACTIVE)
|
|
- **Risk**: All Docker services exposed to network
|
|
- **Open Ports**:
|
|
- 22 (SSH)
|
|
- 5000, 8000, 8001, 8080, 8081, 8082, 8443, 9000, 11434 (Docker services)
|
|
|
|
### Recommended Configuration Options
|
|
|
|
#### Option A: Internal Only (Most Secure - Recommended)
|
|
|
|
**Use Case**: Docker services only accessed from internal network
|
|
|
|
```bash
|
|
ansible-playbook playbooks/secure-docker-server-firewall.yml -e "firewall_mode=internal"
|
|
```
|
|
|
|
**Result**:
|
|
- ✅ SSH (22): Open to all
|
|
- ✅ Docker services: Only accessible from 192.168.200.0/24
|
|
- ✅ External web access: Through NPM proxy
|
|
- 🔒 Direct external access to Docker ports: Blocked
|
|
|
|
#### Option B: Selective External Access
|
|
|
|
**Use Case**: Specific Docker services need external access
|
|
|
|
```bash
|
|
# Example: Allow external access to ports 8080 and 9000
|
|
ansible-playbook playbooks/secure-docker-server-firewall.yml \
|
|
-e "firewall_mode=selective" \
|
|
-e "external_ports=8080,9000"
|
|
```
|
|
|
|
**Result**:
|
|
- ✅ SSH (22): Open to all
|
|
- ✅ Specified ports (8080, 9000): Open to all
|
|
- 🔒 Other Docker services: Only internal network
|
|
|
|
#### Option C: Custom Configuration
|
|
|
|
**Use Case**: You need full control
|
|
|
|
1. Test first:
|
|
```bash
|
|
ansible-playbook playbooks/secure-docker-server-firewall.yml --check
|
|
```
|
|
|
|
2. Edit the playbook:
|
|
```bash
|
|
nano playbooks/secure-docker-server-firewall.yml
|
|
# Modify docker_service_ports variable
|
|
```
|
|
|
|
3. Apply:
|
|
```bash
|
|
ansible-playbook playbooks/secure-docker-server-firewall.yml
|
|
```
|
|
|
|
## Docker Services Identification
|
|
|
|
These ports were found running on the docker server:
|
|
|
|
| Port | Service | Typical Use | Recommend |
|
|
|------|---------|-------------|-----------|
|
|
| 5000 | Docker Registry? | Container registry | Internal only |
|
|
| 8000 | Unknown | Web service | Internal only |
|
|
| 8001 | Unknown | Web service | Internal only |
|
|
| 8080 | Common web | Jenkins/Tomcat/Generic | Via NPM proxy |
|
|
| 8081 | Unknown | Web service | Internal only |
|
|
| 8082 | Unknown | Web service | Internal only |
|
|
| 8443 | HTTPS service | Web service (SSL) | Via NPM proxy |
|
|
| 9000 | Portainer/SonarQube | Container mgmt | Internal only |
|
|
| 11434 | Ollama? | AI service | Internal only |
|
|
|
|
**Recommendation**: Use NPM (nginx) at 192.168.200.71 to proxy external web traffic to internal Docker services.
|
|
|
|
## Pre-Execution Checklist
|
|
|
|
Before running the firewall configuration:
|
|
|
|
- [ ] **Identify required external access**
|
|
- Which services need to be accessed from outside?
|
|
- Can they be proxied through NPM instead?
|
|
|
|
- [ ] **Verify NPM proxy setup**
|
|
- Is NPM configured to proxy to Docker services?
|
|
- Test internal access first
|
|
|
|
- [ ] **Have backup access**
|
|
- Ensure you have console access if SSH locks you out
|
|
- Or run from the server locally
|
|
|
|
- [ ] **Test in check mode first**
|
|
```bash
|
|
ansible-playbook playbooks/secure-docker-server-firewall.yml --check
|
|
```
|
|
|
|
- [ ] **Monitor impact**
|
|
- Check Docker containers still work
|
|
- Verify internal network access
|
|
- Test external access if configured
|
|
|
|
## Execution Instructions
|
|
|
|
### Step 1: Decide on firewall mode
|
|
|
|
Ask yourself:
|
|
1. Do any Docker services need direct external access? (Usually NO)
|
|
2. Are you using NPM proxy for web services? (Recommended YES)
|
|
3. Is everything accessed from internal network only? (Ideal YES)
|
|
|
|
### Step 2: Run the appropriate command
|
|
|
|
**Most Common** (Internal only + NPM proxy):
|
|
```bash
|
|
ansible-playbook playbooks/secure-docker-server-firewall.yml
|
|
```
|
|
|
|
**If you need external access to specific ports**:
|
|
```bash
|
|
ansible-playbook playbooks/secure-docker-server-firewall.yml \
|
|
-e "firewall_mode=selective" \
|
|
-e "external_ports=8080,9000"
|
|
```
|
|
|
|
### Step 3: Verify everything works
|
|
|
|
```bash
|
|
# Check firewall status
|
|
ansible docker -m shell -a "ufw status verbose" -b
|
|
|
|
# Check Docker containers still running
|
|
ansible docker -m shell -a "docker ps" -b
|
|
|
|
# Test SSH access
|
|
ssh dlxadmin@192.168.200.200
|
|
|
|
# Test internal network access (from another internal server)
|
|
curl http://192.168.200.200:8080
|
|
|
|
# Test services work through NPM proxy (if configured)
|
|
curl http://your-service.directlx.dev
|
|
```
|
|
|
|
### Step 4: Make adjustments if needed
|
|
|
|
```bash
|
|
# View current rules
|
|
ansible docker -m shell -a "ufw status numbered" -b
|
|
|
|
# Delete a rule
|
|
ansible docker -m shell -a "ufw delete <NUMBER>" -b
|
|
|
|
# Add a new rule
|
|
ansible docker -m shell -a "ufw allow from 192.168.200.0/24 to any port 8000" -b
|
|
```
|
|
|
|
## Rollback Plan
|
|
|
|
If something goes wrong:
|
|
|
|
```bash
|
|
# Disable firewall temporarily
|
|
ansible docker -m ufw -a "state=disabled" -b
|
|
|
|
# Reset firewall completely
|
|
ansible docker -m ufw -a "state=reset" -b
|
|
|
|
# Re-enable with just SSH
|
|
ansible docker -m ufw -a "rule=allow port=22 proto=tcp" -b
|
|
ansible docker -m ufw -a "state=enabled" -b
|
|
```
|
|
|
|
## Monitoring After Configuration
|
|
|
|
```bash
|
|
# Check blocked connections
|
|
ansible docker -m shell -a "grep UFW /var/log/syslog | tail -20" -b
|
|
|
|
# Monitor active connections
|
|
ansible docker -m shell -a "ss -tnp" -b
|
|
|
|
# View firewall logs
|
|
ansible docker -m shell -a "journalctl -u ufw --since '10 minutes ago'" -b
|
|
```
|
|
|
|
## Next Steps
|
|
|
|
1. **Review this document** carefully
|
|
2. **Identify which Docker services need external access** (if any)
|
|
3. **Choose firewall mode** (internal recommended)
|
|
4. **Test in check mode** first
|
|
5. **Execute the playbook**
|
|
6. **Verify services** still work
|
|
7. **Document any port exceptions** you added
|
|
|
|
## Files
|
|
|
|
- Playbook: `playbooks/secure-docker-server-firewall.yml`
|
|
- This guide: `docs/DOCKER-SERVER-SECURITY.md`
|
|
- Security audit: `docs/SECURITY-AUDIT-SUMMARY.md`
|
|
|
|
---
|
|
|
|
**Status**: Ready for execution when you decide
|
|
**Priority**: High (server currently has no firewall)
|
|
**Risk**: Medium (breaking services if not configured correctly)
|
|
**Recommendation**: Execute during maintenance window with console access available
|