DockerJail
A secure jumpbox running sshd as a non-root user with key-based authentication.
NAT port 2222 on the host to SSH with the private key generated after running install.sh.
Install via install.sh from master branch
git clone https://github.com/phx/dockerjail.git
cd dockerjail && ./install.sh
(sudo will be required for some commands in the script).
Container uses key-based authentication and will only have password-based SSH access to the the host with no access to the rest of the network.
Uninstall via install.sh
git clone https://github.com/phx/dockerjail.git
(if you already deleted it).cd dockerjail && ./install.sh remove
This will perform a complete rollback of all of the changes made when running install.sh
Host Dependencies for install.sh:
- Docker (easy unofficial-official install script for Ubuntu/Debian/Raspbian/Arch/Kali)
/bin/bash
(notsh
-- if you want it to work withsh
, just fork it.)iptables
Warnings and Limitations for install.sh:
This will completely lockdown the docker0
interface, so it is not really meant to be run alongside other containers. If you want to customize the iptables
rules, you can do so in the Dockerfile
before running install.sh
or after running install.sh
by editing /usr/local/bin/dockerjailrules
and restarting docker.service
.
The Docker service will be restarted during the installation process.
Notes about install.sh:
You can set the passwords of the root user and the alpine user by passing
the $ROOTPASS
and $USERPASS
environment variables if you do not wish them to be random.
You can also run ./install.sh --interactive
to be prompted for each password, which will be shown in clear text.
This is the suggested method if you don't have python3
installed, which is used to create the random passwords.
Additionally, you can pass a custom CIDR range for your local network as the $CIDR
environment variable,
or you can specify it in --interactive
mode if you don't want iptables
to use the default 192.168.1.0/24 network.
Usage:
Usage: ./install.sh <[help | interactive | remove]>
--help | help | -h Shows this help message.
--interactive | interactive Allows you to set passwords (instead of random).
--remove | remove Complete rollback of all changes made by install.sh.
Non-intrusive pure Docker install from Dockerhub:
Note: this is not nearly as secure, as it does require, nor implement any iptables
rules to lockdown the container to only the host.
The container will have SSH access to the host, as well as the rest of the entire local network.
If you NAT, then this is basically the equivalent of just opening up SSH to the world, except locking it down with key-based access.
Not entirely insecure, yet not entirely recommended for external access from the Internet.
You would probably be better off running sshd with key-based access on the host and installing fail2ban
instead.
docker run --restart=always -dp 2222:2222 lphxl/dockerjail:latest
docker exec -it dockerjail sh
/home/alpine/regnerate_keys.sh
exit
docker cp dockerjail:/home/alpine/.ssh/id_rsa dockerjail.pem && chmod 400 dockerjail.pem
Alternatively, you can build the image yourself by cloning the dev branch:
git clone --single-branch --branch dev https://github.com/phx/dockerjail.git
cd dockerjail && docker build -t dockerjail .
docker run -dp 2222:2222 --name dockerjail dockerjail
docker exec -it dockerjail sh
/home/alpine/regnerate_keys.sh
exit
docker cp dockerjail:/home/alpine/.ssh/id_rsa dockerjail.pem && chmod 400 dockerjail.pem