Does this threaten SN working on the docker?

While the article doesn’t list the specific misconfiguration that is making installs vulnerable, they do mention that 6000 docker installs were found to be vulnerable. Considering the wide spread use of docker it’s safe to assume the default setup is not vulnerable based on those numbers. Can’t really say more than that without more details on the vulnerability.

1 Like

yeah most likely docker hosted on VPS and having their API exposed online
i don’t see how a botnet would get in through the storagenode… but that may just be a failure of imagination on my part :smiley:

You can actually run the storagenode as a user (and not as root), lowering risks. Additionally the container doesn’t have access to the docker socket itself (watchtower does though…) lowering risks even more.
But if there is a vulnerability around these mechanisms, then it’s bad.
The question is: 6000 installations from how many? did they test 1M, 2M, 10k? And what configuration? Such general statements are not very helpful… how do I know if I’m ok? Just spreading panic without offering a solution or naming the cause is just that: spreading panic for no reason.
Something like: 6000 Aliens were found among the population. Where’s the proof? What do I do about?

2 Likes

Well this article was clearly not intended to inform people on how to protect against it. The threat gets the clicks, the solution doesn’t I guess. I’m sure there is more info out there somewhere, but I’m supposed to be working right now, so I don’t really have time to look for it. So I took the shortcut of going by the number and assuming I’m probably fine. (Famous last words)

1 Like

This is old news the risk about misconfgured docker installs have always been a scary thing, especially cause docker images are so wildly available the fact that it’s so easy to take over a machine that is using a cuda gpu that could be used for mining without you knowing. Best thing thing to do is never run a docker as a root user so it can never take over the entire machine.

In Synology:

sudo docker run -d --restart unless-stopped --stop-timeout 300 -p.....

does it run as root?

Technically yes but it’s not direct running root user like say you run su root then running docker with full root access. But it’s better to run docker as a docker user in its own group with no really access.

Synology cannot do without - sudo

Was trying to find something for synology nas, I was able to find this https://community.synology.com/enu/forum/17/post/112307

But on that note I don’t think you really have anything to worry about less you changed dockers config to access unauthorized docker images. Also you don’t have your synology open fully with full access to the internet? Like for an example opening port 22 to the internet.

SN has an open port to the internet …

Just do not open a docker daemon port to the internet and you should be safe.
For Windows users - do not disable a firewall if you do not have another.
This section: https://documentation.storj.io/before-you-begin/important-security-consideration in our documentation here is for a reason.