lardbit/nefarious

Potential security issue: iptables

Clickbaitcake opened this issue · 4 comments

Clickbaitcake commented

Nefarious docker containers open ports on the host which grant access to the web GUIs for the app itself alongside Jackett and Transmission. Thanks to a quirk in Docker networking these open ports bypass the host firewall (UFW in most cases) because Docker uses IP Tables.

This means when running Nefarious on a public facing VPS a user could leak their admin control panels to the whole internet even when a firewall rule is in place to block access. Private tracker credentials could be stolen easily from exposed Jackett port because the user might assume blocking access to port 9117 via the firewall is enough to protect themselves.

This could be fixed in either of two ways

  1. Control Dockers access to IP tables by creating the file /etc/docker/daemon.json containing:
{
    "iptables": false
}

The downside to this approach in my testing is that it breaks the Docker containers ability to reach the internet. There must be a workaround.

  1. Add a some default, changeable password to Jackett and Transmission.
    Transmission can be done by editing the transmission settings.json to contain the following additional values by default
{
    "download-dir": "/downloads/",
    "incomplete-dir": "/downloads/.incomplete",
    "incomplete-dir-enabled": "true",
    "rpc-whitelist": "*",
    "rpc-host-whitelist-enabled": "false",
    **"rpc-password": "PASSWORDHERE,
    "rpc-username": "admin",
    "rpc-authentication-required": "true"
}**

A password can be added to Jackett by modifying .config/Jackett/ServerConfig.json but I don't have these values to hand.

Clickbaitcake commented

I just realised we can manually set a Jackett password in the GUI so this issue might be a waste of time. Perhaps setting a password as default would be good practice though?

lardbit commented

Interesting, I was unaware of the incompatibility with UFW and docker. If you come up with a solution regarding iptables let me know. In the meantime, yes I think adding transmission & jackett passwords would be more sane defaults. It's easy enough to do with Transmission like you mentioned but I'll have to research jackett's config to know how to pre-populate it, and if it's possible (since it's also generating a unique API key).