1 问题描述

docker官方文档对2375端口的描述:

If you need to access the Docker daemon remotely, you need to enable the tcp Socket.
Beware that the default setup provides un-encrypted and un-authenticated direct access to the Docker daemon 
- and should be secured either using the built in HTTPS encrypted socket, or by putting a secure web proxy in front of it. 
You can listen on port 2375 on all network interfaces with -H tcp://0.0.0.0:2375, 
or on a particular network interface using its IP address: -H tcp://192.168.59.103:2375. 
It is conventional to use port 2375 for un-encrypted, and port 2376 for encrypted communication with the daemon.

如果dockerd启动参数添加了-H tcp://0.0.0.0:2375,则会外开放2375远程管理端口。

入侵者可通过docker客户端远程连上dockerd的2375端口,启动容器,并进一步获取更多的权限。

2 入侵方式

入侵者在本地通过添加-H参数的docker命令,即可连接开放2375端口的dockerd,并可通过挂载volume的方式访问宿主机的文件系统。

docker -H tcp://172.30.10.155:2375 run --rm -it --entrypoint bash -v /root:/tmp/root -v /etc/ssh:/tmp/ssh_etc -v /var/log:/tmp/log ubuntu

如上所示,入侵者可以挂载宿主机/etc/ssh,从而修改ssh配置并获得ssh访问权限。入侵者也可以挂载并修改cron配置文件,从而在服务器上执行代码。

3 防御方法

最彻底的防御方法是禁用dockerd 2375端口。对于我的配置(docker 1.13.1),修复操作如下:

1)修改/etc/default/docker,去掉-H tcp://0.0.0.0:2375

2)去掉monit的docker 2375端口监控。

rm /etc/monit/conf.d/docker 
service monit restart

3)重启docker

service docker restart
ps -ef | grep dockerd  #确认2375端口参数已经去掉
docker ps

或(对于采用systemctl启动的系统):

systemctl daemon-reload
systemctl restart docker
docker ps
ps -ef | grep dockerd