[SOLVED] Is a firewall needed in an LXD Containier e.g Apache/Owncloud

taumeister · 09-15-2018, 03:27 PM

Hi
I have created a Ubuntu LXD host under a Hyper-V server with some containers running in bridged mode.

1. HAProxy SSL
2. Owncloud
3. Wordpress
4. Kopano Mail System...etc.

What about the security of LXD containers?
Some say that a container of this kind should be treated like a normal operating system and the same security measures should be taken accordingly.
https://discuss.linuxcontainers.org/...tices-help/352
Normally I would then use at least a combination of 'iptables' and 'fail2ban'.
Others think that the isolation by the containers in combination with AppArmor and the reduction of the root account, bring enough security?

I honestly can't imagine it right. Can a container like the SSL proxy be hijacked in the same way just like a normal host, and does it need to be secured by e.g. ' iptabels'?

What are your security concepts in this area?

pan64 · 09-17-2018, 01:47 AM

I think you mixed two different things: containers are isolated from each other and the host. But they work (more or less) as a VM and if you allow external access they will need the same protection as any other OS.

taumeister · 09-17-2018, 03:40 AM

Hello and thank you very much for your answer.
No, I'm not mixing anything here and I'm well aware of the difference.
And containers are almost like virtual machines but not complete.
They are much more isolated and the permissions within them are greatly reduced.
Normal containers are not privileged either.

But at the end of the day I came to a similar conclusion and limited all containers via iptables to the ports used as well as secured them with fail2ban - at least the two web servers.
Additionally I will read the BSI pages about basic protection and isolation of LXD environments.
Thanks