Exposing port 22 (SSH)

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 5907595b-5b6d-4142-b173-dbb0e73fbff8

Cloud Provider: Dockerfile

Platform: Dockerfile

Severity: Low

Category: Best Practices

Learn More

Description

Exposing SSH (port 22) from a container image creates an unnecessary remote access surface that enables brute-force attacks, credential theft, and lateral movement if the container or host is compromised. This rule checks Dockerfiles for EXPOSE instructions and flags any EXPOSE entry that includes port 22.

Remove port 22 from EXPOSE directives and rely on container runtime access methods (for example, docker exec or kubectl exec), a bastion host, or an ephemeral, tightly-controlled SSH gateway with network restrictions and strong authentication when interactive access is required.

Secure example without SSH exposed:

EXPOSE 8080

Compliant Code Examples

FROM gliderlabs/alpine:3.3
RUN apk --no-cache add nginx
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]

Non-Compliant Code Examples

FROM gliderlabs/alpine:3.3
RUN apk --no-cache add nginx
EXPOSE 3000 80 443 22
CMD ["nginx", "-g", "daemon off;"]