-
-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SECURITY: Ports Exposed to the Internet: MySQL & PhpMyAdmin, bypasses UFW firewall #2099
Comments
You should not be using Laradock for production or where your internal machine is port forwarded. |
Laradock is meant for production, otherwise it really beats the point because we want to develop locally using same/similar environment as if it were to be in production Apparently the guide in http://laradock.io/ did have a section titled: However it's really not obvious at all, having to read the guide so many times. The guide to set up in Digital Ocean (https://laradock.io/guides/#Digital-Ocean) does not mention the issue either, exposing ports to the internet Regardless the solution I have offered is simple, and should help a lot of people |
It's main purpose is to be a dev environment. There's a lot of bloat software if you're using it in production... It says to remove the database ports and it links to an article about adding iptables: false to the config. Use a docker image that's the same OS and versions and it will be the same. |
I actually have a few servers running Laradock, one of it is running in production, and so happens to have another layer of firewall installed (VMWare/virtualization stuff) I really can't imagine/think of an production alternative to Laradock Do you know of a better way? It should be revolved around Docker through... Other than that, I really think we should suggest the following as the default
It really solves a security flaw, making it work well for production, and doesn't seem to do any harm. |
I tested and this workaround worked for apache2. Thanks! |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Hi again 👋 we would like to inform you that this issue has been automatically |
The same goes to MariaDB
|
Info:
$ docker --version
): Docker version 18.09.5, build e8ff056$ git rev-parse HEAD
): 27af2bcIssue:
In a linux production system that uses UFW firewall, Ports for PhpMyAdmin and MySQL are exposed to the internet, by-passing the UFW firewall.
It was realized that even with private key SSH and 64 character password for PhpMyAdmin (PMA) and MySQL
Randomware still managed to destroy our data
After checking https://www.yougetsignal.com/tools/open-ports/ ports for PMA and MySQL are open.
Turns out the combination of Docker and UFW introduces a security flaw.
Explanation of the flaw: https://medium.com/@bitaps.com/ubuntu-ufw-and-docker-security-e840f772e2b4
The fix is adding the following in
sudo nano /etc/docker/daemon.json
:Then UFW can take control
EDIT "iptables": false causes containers to lose internet connection
or:
Prefixing
127.0.0.1
on the said the ports (any ports that should not be exposed)ref: https://stackoverflow.com/a/22100687/3553367
use:
instead of:
Prefixing
127.0.0.1
should be introduced in the default ENV, as it should work with all platforms (only tested on Ubuntu 18.04)The original ENV opens up a security issue for all Laradock users, especially those with less experience like me, until a problem occurs.
adding
{ "iptables": false }
intodaemon.json
should be mentioned in the guide, or referenced to some link when setting up LaradockEDIT "iptables": false causes containers to lose internet connection
Expected behavior:
PMA and MySQL Ports should be closed
Reproduce:
Setup a production Laradock, and your MySQL and PMA ports will be open in:
https://www.yougetsignal.com/tools/open-ports/
The text was updated successfully, but these errors were encountered: