SSH port exposed
ID |
ssh_port_exposed |
Severity |
critical |
Family |
Container Security |
Tags |
dockerfile, flaw, reachable |
Description
Running a well-configured SSH server is not easy. SSH adds a security risk, as keys need to be properly managed.
A Docker container should not be a full-fledged virtual machine. It should run a single service or application inside a small 'isolated' box, with the minimal exposed services.
Security
By exposing TCP port 22 (typically used by SSH server), you may allow a bad actor to brute force into the system and potentially get access to the entire network.
If you do need an SSH server in your container for whatever reason, restrict SSH solely to known static IP addresses. Limit the access list to include known hosts, services, or specific users only.
Examples
FROM ubuntu:latest
# ...
RUN apt update && apt install openssh-server sudo -y
RUN mkdir -p /home/sshuser/.ssh
COPY idkey.pub /home/sshuser/.ssh/authorized_keys
RUN chown sshuser:sshgroup /home/sshuser/.ssh/authorized_keys && \
chmod 600 /home/sshuser/.ssh/authorized_keys
RUN service ssh start
# Expose docker port 22
EXPOSE 22 (1)
CMD ["/usr/sbin/sshd","-D"]
# ...| 1 | SSH daemon port 22 exposed |
Mitigation / Fix
With most images Docker’s built-in remove shell API, based on docker exec, single commands could be run in the container. It allows even running an interactive shell, if it is available in the image:
# Run a command
docker exec -it <container_name_or_id> -u <user> COMMAND...
# Or open an interactive shell
docker exec -it <container_name_or_id> -u <user> /bin/bash