-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential security issue: iptables #159
Comments
I just realised we can manually set a Jackett password in the GUI so this issue might be a waste of time. Perhaps setting a password as default would be good practice though? |
Interesting, I was unaware of the incompatibility with UFW and docker. If you come up with a solution regarding iptables let me know. In the meantime, yes I think adding transmission & jackett passwords would be more sane defaults. It's easy enough to do with Transmission like you mentioned but I'll have to research jackett's config to know how to pre-populate it, and if it's possible (since it's also generating a unique API key). |
Was going through the issues and stumbled on this old one. I think it would be safe to close out this issue and other system configuration issues by adding notes to a new doc like FAQ.md or something. I can work on a PR for this and other issues when I get some time, and include information/options for issues that seem more sysadmin related. @lardbit I could create a label “documentation” and add it to issues that seem like they fit this sort of category, if that makes sense to you. @Clickbaitcake on a side note if you're still dealing with this (I know this is very old) there are ways to make UFW rules apply to docker as well if you didn't want to turn off iptables in docker all together. |
That would be great. Good idea. |
Nefarious docker containers open ports on the host which grant access to the web GUIs for the app itself alongside Jackett and Transmission. Thanks to a quirk in Docker networking these open ports bypass the host firewall (UFW in most cases) because Docker uses IP Tables.
This means when running Nefarious on a public facing VPS a user could leak their admin control panels to the whole internet even when a firewall rule is in place to block access. Private tracker credentials could be stolen easily from exposed Jackett port because the user might assume blocking access to port 9117 via the firewall is enough to protect themselves.
This could be fixed in either of two ways
/etc/docker/daemon.json
containing:The downside to this approach in my testing is that it breaks the Docker containers ability to reach the internet. There must be a workaround.
Transmission can be done by editing the transmission settings.json to contain the following additional values by default
A password can be added to Jackett by modifying
.config/Jackett/ServerConfig.json
but I don't have these values to hand.The text was updated successfully, but these errors were encountered: