Incoming container traffic is bound to a specific host interface

Docs > Datadog Security > OOTB Rules > Incoming container traffic is bound to a specific host interface

Classification:

compliance

Framework:

cis-docker

Control:

5.13

Set up the docker integration.

Description

By default, Docker containers can make connections to the outside world, but the outside world cannot connect to containers and each outgoing connection will appear to originate from one of the host machine’s own IP addresses. You should only allow container services to be contacted through a specific external interface on the host machine.

Rationale

If you have multiple network interfaces on your host machine, the container can accept connections on exposed ports on any network interface. This might not be desirable and may not be secured. In many cases a specific, desired interface is exposed externally and services such as intrusion detection, intrusion prevention, firewall, load balancing, etc. are all run by intention there to screen incoming public traffic. You should therefore not accept incoming connections on any random interface, but only the one designated for this type of traffic.'

Audit

List all running instances of containers and their port mappings by executing this command: docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}'
Review the list and ensure that the exposed container ports are bound to a specific interface and not to the wildcard IP address - 0.0.0.0.

For example, if the command above returns these results, this is non-compliant and the container can accept connections on any host interface on the specified port 4915: 3. Ports=map[443/tcp:<nil> 80/tcp:[map[HostPort:49153 HostIp:0.0.0.0]]]

However, if the exposed port is bound to a specific interface on the host as below, then this is configured in line with good security practices.

Ports=map[443/tcp:<nil> 80/tcp:[map[HostIp:10.2.3.4 HostPort:49153]]]

Remediation

You should bind the container port to a specific host interface on the desired host port. For example, docker run --detach --publish 10.2.3.4:49153:80 nginx

In the example above, the container port 80 is bound to the host port on 49153 and would accept incoming connection only from the 10.2.3.4 external interface.

Impact

None

Default value

By default, Docker exposes the container ports on 0.0.0.0, the wildcard IP address that will match any possible incoming network interface on the host machine.

References

https://docs.docker.com/engine/userguide/networking/

CIS controls

Version 6

9 Limitation and Control of Network Ports, Protocols, and Services Limitation and Control of Network Ports, Protocols, and Services