Skip to content
This repository has been archived by the owner on Dec 15, 2022. It is now read-only.

Security issues with this build. #2

Open
animeai opened this issue Jul 5, 2022 · 0 comments
Open

Security issues with this build. #2

animeai opened this issue Jul 5, 2022 · 0 comments

Comments

@animeai
Copy link

animeai commented Jul 5, 2022

The main reason one would use docker on a server is segregation! This means a flaw in mariadb only affects mariadb, not the whole system. Docker images with multiple services running is less than ideal because of this. While it is useful for a quick and dirty "does this work", it should never be used in a production environment. What would be great is seeing something built that segregates all services to their own containers.

There is also no way to disable insecure applications such as ftp - yes, you can not map the port, but the service is still running.

There is also the issue that host networking and the big ports like 80 and 443 are used, this could be circumvented by use of an edge router such as traefik, or use of nginx proxy manager. Both of these options would allow for easy mapping of domains to other docker services. Want to install plex too? Just throw in a docker-compose with labels to add it to traefik, or set it up with nginx proxy manager! Right now you can't run HestiaCP on a server with only a single IP address and use a useful application such as traefik to route to other containers - this project could improve on that.

The biggest security flaw right now is MARIADB_ROOT_HOST: "%" alongside a mapped port. This means that anybody who knows your server IP can bruteforce your mysql root pass with no issues! Ports that are not needed externally should NEVER be mapped!

I would highly recommend:

  • Install script to write a custom docker-compose.yml file
  • Options within the install script to include or exclude software (A la original install.sh)
  • Separate docker images for each service (use of the official docker images would be beneficial here like you did with MariaDB)
  • Integration of either traefik (complex) or nginx proxy manager (easier) for domains
  • Map my.cnf to allow tuning of MariaDB

While this will be a little bit of work, I think it would make the project much more adoptable in a production environment.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant