starred/hardening

Fork 0

mirror of https://github.com/konstruktoid/hardening.git synced 2026-04-27 01:35:55 +03:00

[GH-ISSUE #3] Document Hardening Items #2

New issue

Closed

opened 2026-03-03 13:58:09 +03:00 by kerem · 10 comments

kerem commented

2026-03-03 13:58:09 +03:00

Owner

Originally created by @joelchen on GitHub (Jun 25, 2017).
Original GitHub issue: https://github.com/konstruktoid/hardening/issues/3

Would be good to have a list of items and descriptions for all hardening performed in the script documented in README or Wiki.

Originally created by @joelchen on GitHub (Jun 25, 2017). Original GitHub issue: https://github.com/konstruktoid/hardening/issues/3 Would be good to have a list of items and descriptions for all hardening performed in the script documented in README or Wiki.

kerem closed this issue

2026-03-03 13:58:10 +03:00

kerem commented

2026-03-03 13:58:11 +03:00

Author

Owner

@konstruktoid commented on GitHub (Jun 26, 2017):

Thanks for the comment @joelchen, I'll work on the documentation as soon as possible.

@konstruktoid commented on GitHub (Jun 26, 2017): Thanks for the comment @joelchen, I'll work on the documentation as soon as possible.

kerem commented

2026-03-03 13:58:11 +03:00

Author

Owner

@konstruktoid commented on GitHub (Jul 3, 2017):

Better late than never.
@joelchen, any improvements?

@konstruktoid commented on GitHub (Jul 3, 2017): Better late than never. @joelchen, any improvements?

kerem commented

2026-03-03 13:58:11 +03:00

Author

Owner

@joelchen commented on GitHub (Jul 4, 2017):

@konstruktoid Yes, I see some improvements, thank you. Further improvements could be made for description or link to website of the softwares that are installed or removed, and because running this script caused my system in Docker to fail because of UFW and AppArmor, document additional steps to remedy this problem.

@joelchen commented on GitHub (Jul 4, 2017): @konstruktoid Yes, I see some improvements, thank you. Further improvements could be made for description or link to website of the softwares that are installed or removed, and because running this script caused my system in Docker to fail because of UFW and AppArmor, document additional steps to remedy this problem.

kerem commented

2026-03-03 13:58:11 +03:00

Author

Owner

@konstruktoid commented on GitHub (Jul 4, 2017):

@joelchen I'll add reference links.
But why would you run this in a Docker container?

@konstruktoid commented on GitHub (Jul 4, 2017): @joelchen I'll add reference links. But why would you run this in a Docker container?

kerem commented

2026-03-03 13:58:11 +03:00

Author

Owner

@joelchen commented on GitHub (Jul 11, 2017):

@konstruktoid I run this on Ubuntu servers, and Docker is installed on Ubuntu servers for running applications. There are problems with Docker containers when UFW and AppArmor are enabled.

@joelchen commented on GitHub (Jul 11, 2017): @konstruktoid I run this on Ubuntu servers, and Docker is installed on Ubuntu servers for running applications. There are problems with Docker containers when UFW and AppArmor are enabled.

kerem commented

2026-03-03 13:58:11 +03:00

Author

Owner

@konstruktoid commented on GitHub (Jul 12, 2017):

So do I @joelchen, and yes, there have been issues with Docker and UFW/AppArmor but UFW and AppArmor affects all system services and often requires modifications.

@konstruktoid commented on GitHub (Jul 12, 2017): So do I @joelchen, and yes, there have been issues with Docker and UFW/AppArmor but UFW and AppArmor affects all system services and often requires modifications.

kerem commented

2026-03-03 13:58:11 +03:00

Author

Owner

@pascalandy commented on GitHub (Jul 16, 2017):

Same use case as @joelchen here.

I run this on Ubuntu servers, and Docker is installed on Ubuntu servers for running applications.

I'm sure that setting up Docker with UFW & AppArmor is well documented. It would be nice to have an option like:

Do you plan to use Docker? (y/n)

If it helps, here are my Docker UFW rules

## TCP port 2376 for secure Docker client communication. This port is required for Docker Machine to work. Docker Machine is used to orchestrate Docker hosts.
ufw allow 2376/tcp

##TCP and UDP port 7946 for communication among nodes (container network discovery).
ufw allow 7946/tcp
ufw allow 7946/udp

#UDP port 4789 for overlay network traffic (container ingress networking).
ufw allow 4789/udp

##On Leader only | Will need to disable on Workers
##TCP port 2377. This port is used for communication between the nodes of a Docker Swarm or cluster. It only needs to be opened on manager nodes.
ufw allow 2377/tcp

# >>> Reload UFW
ufw reload
ufw --force enable
ufw status numbered
systemctl restart docker

EDIT: I never configured AppArmor with Docker.

@pascalandy commented on GitHub (Jul 16, 2017): Same use case as @joelchen here. > I run this on Ubuntu servers, and Docker is installed on Ubuntu servers for running applications. I'm sure that setting up Docker with UFW & AppArmor is well documented. It would be nice to have an option like: ``` Do you plan to use Docker? (y/n) ``` ### If it helps, here are my Docker UFW rules ``` ## TCP port 2376 for secure Docker client communication. This port is required for Docker Machine to work. Docker Machine is used to orchestrate Docker hosts. ufw allow 2376/tcp ##TCP and UDP port 7946 for communication among nodes (container network discovery). ufw allow 7946/tcp ufw allow 7946/udp #UDP port 4789 for overlay network traffic (container ingress networking). ufw allow 4789/udp ##On Leader only | Will need to disable on Workers ##TCP port 2377. This port is used for communication between the nodes of a Docker Swarm or cluster. It only needs to be opened on manager nodes. ufw allow 2377/tcp # >>> Reload UFW ufw reload ufw --force enable ufw status numbered systemctl restart docker ``` EDIT: I never configured AppArmor with Docker.

kerem commented

2026-03-03 13:58:11 +03:00

Author

Owner

@konstruktoid commented on GitHub (Aug 4, 2017):

Thanks and again sorry for the late reply, vacation and such.
I understand this tries to assist in configuring UFW and Docker but opening all above ports is unnecessary and you'll need to configure an "Docker network" in additional to the present FW_ADMIN option.

@konstruktoid commented on GitHub (Aug 4, 2017): Thanks and again sorry for the late reply, vacation and such. I understand this tries to assist in configuring `UFW` and `Docker` but opening all above ports is unnecessary and you'll need to configure an "Docker network" in additional to the present `FW_ADMIN` option.

kerem commented

2026-03-03 13:58:11 +03:00

Author

Owner

@konstruktoid commented on GitHub (Sep 14, 2017):

Closing, too many user specific variables.

@konstruktoid commented on GitHub (Sep 14, 2017): Closing, too many user specific variables.

kerem commented

2026-03-03 13:58:11 +03:00

Author

Owner

@pascalandy commented on GitHub (Sep 14, 2017):

That's why I propose a config about Docker installation y/n

But I absolutely understand that you don't want to manage this in this project.

Cheers!

@pascalandy commented on GitHub (Sep 14, 2017): That's why I propose a config about Docker installation y/n But I absolutely understand that you don't want to manage this in this project. Cheers!

kerem referenced this issue

2026-03-03 14:29:38 +03:00

[PR #2] [MERGED] Added config files to this repo #93