1

Whenever I want to forward ports in a Docker container, I used a simple -p 8080:8080 command.

Now, I read in a couple of places (here and here), that this is possibly insecure, and that I should include the localhost loopback, like this: -p 127.0.0.1:8080:8080.

Could someone shed more light on this? When should this be done and what is the actual security impact?

scott_m
  • 151
  • 2
  • 11

1 Answers1

2

When you don't specify an ip address when publishing ports, the published ports are available on all interfaces. That is, if you run docker run -p 8080:8080 ..., then other systems on your network can access the service on port 8080 on your machine (and if your machine has a publicly routable address, then systems elsewhere in the world can access the service as well). (Of course, you may have host- or network- level firewall rules that prevent this access in any case.)

When you specify an ip address in the port publishing specification, like 127.0.0.1:8080:8080, then the listening ports are bound explicitly to that interface.

If your listening ports are bound only to the loopback interface, 127.0.0.1, then only clients on your local machine will be able to connect -- from the perspective of devices elsewhere on the network, those ports aren't available.

Which configuration makes sense depends (a) on what you want to do (maybe you want to expose a service that will be accessible to systems other than your local machine), (b) what your local network looks like, and (c) your level of risk aversion.

larsks
  • 277,717
  • 41
  • 399
  • 399
  • Got it. My motivation for this issue came from the fact that I got hacked by a cryptominer argon2, multiple times, despite recreating the VM from scratch. I managed to honeypot it and determine that it got in via a docker container running `socat`, which included port forwarding of the unix docker socket. The issue disappeared when I included `localhost` in the port mapping. – scott_m Sep 11 '22 at 15:29