Docker performs some syscall filtering as well which may reduce the kernel attack surface. It can be pain to set up services this way, but it could help prevent an attacker from moving laterally in the system.
Comment on Suggestions for Improving Linux Server Security: Beyond User Permissions and Groups?
epyon22@programming.dev 3 weeks ago
I would reconsider docker because if a specific application leaks some sort of shell access or system file access you’ll be protected out side of container host escalation.
Unrelated to security, I prefer docker because it leaves the server very clean if you remove different apps. Can also save time configuring more complex applications or applications that conflict with system libraries.
Add fail2ban on your list of applications it watches logs for invalid logins and puts them on firewall block rules after so many failed attempts.
henfredemars@infosec.pub 3 weeks ago
matcha_addict@lemy.lol 3 weeks ago
I really wish there was a system wide package manager for docker containers, which would update software in all your containers at once similar to how a typical package manager would.
I did not completely rule out docker, but I wonder if I can obtain most of its benefits without this major con with package management. I mean I know it’s possible, since its mostly kernel features, but it would be difficult to simulate and the tooling is probably lacking (maybe nsjail can get me closer).
monkeyman512@lemmy.world 3 weeks ago
github.com/containrrr/watchtower
wildbus8979@sh.itjust.works 3 weeks ago
You can have a look at systemd-nspawn and machinectl actually. Sounds like exactly what you’re looking for :)
matcha_addict@lemy.lol 3 weeks ago
I am really interested in systemd-nspawn. Unfortunately I have openRC now (I liked it’s simplicity) so can’t try out systemd yet.
Is machinectl tied to systemd also?
486@lemmy.world 2 weeks ago
You could give bubblewrap a try instead. It is quite similar to systemd-nspawn.
wildbus8979@sh.itjust.works 3 weeks ago
Yes machinectl is the interface for nspawn