The list below is for manually configuring the items and documenting recommendations. Most of these are satisified by make targets.
- SSH: /etc/ssh/sshd_config
The following command will configure sshd_config to match the example after with the exception of modifying LoginGraceTime.
make security-configLoginGraceTime 30s
ClientAliveInterval 15
ClientAliveCountMax 10
#Subsystem sftp /usr/libexec/openssh/sftp-server
Match User training
ForceCommand /opt/islet/bin/islet_shell
X11Forwarding no
AllowTcpForwarding no
PermitTunnel no
PermitOpen none
MaxAuthTries 3
MaxSessions 1
AllowAgentForwarding no
PermitEmptyPasswords no- Drop capabilities in containers:
ISLET includes security.conf which can be used to easily add or drop kernel capabilities(7) (and apply ulimit values to containers) globally. They can be set in any ISLET configuration file. Only add what you need to run the software in the container.
- ulimit contraints
Note: ISLET with Docker 1.6 supports passing ulimit settings in config files.
The following command will configure decent ulimit settings for docker processes. These have the effect of restricting the user's environment inside the container.
Adjust as necessary: /etc/init/docker.conf
# BEGIN ISLET Additions
limit nofile 1000 2000 # Limit number of open files
limit nproc 1000 2000 # Prevent fork bombs
limit fsize 100000000 200000000 # Limit file sizes to max of 200MB
# END
- Separate storage for containers:
service docker stop
rm -rf /var/lib/docker/*
mkfs.ext2 /dev/sdb1
mount -o defaults,noatime,nodiratime /dev/sdb1 /var/lib/docker
tail -1 /etc/fstab
/dev/sdb1 /var/lib/docker ext2 defaults,noatime,nodiratime,nobootwait 0 1
service docker start
- Limit container storage size to prevent DoS or resource abuse
Switching storage backends to devicemapper allows for disk quotas. Set dm.basesize to the maximum size the container can grow to (def: 10G)
Note: Currently unstable, and all existing container and image data will be lost.
Automatic:
make docker-config SIZE=3G
Manual:
service docker stop
rm -rf /var/lib/docker/*
docker -d --storage-driver=devicemapper --storage-opt dm.basesize=3G &
sleep 3 && pkill docker
tail -1 /etc/default/docker
DOCKER_OPTS="--storage-driver=devicemapper --storage-opt dm.basesize=3G"
start docker
Note: There's currently a bug in devicemapper that may cause docker to fail run containers more info.
- Iptables
Rate limiting protection for the SSH service
make iptables-config
- GRSecurity kernel patches
To aid in protecting the host system it's recommended to patch the Linux kernel more info