How do you make sure that your Docker containers don't go rogue and start snooping around or contacting external servers that they shouldn't be talking to? Is there a network traffic monitoring...
How do you make sure that your Docker containers don't go rogue and start snooping around or contacting external servers that they shouldn't be talking to? Is there a network traffic monitoring program that I could use? Or a service that would notify me about vulnerabilities in containers that I have installed?
Last year, I asked help setting up my new Synology NAS, and many of you wonderful people offered some really, really good advice. I have recently started to play around with Docker containers more, and I am a little uneasy about the idea that my NAS is home to my files, my own scripts, and Docker containers made by other people, and that it is always on and these containers have constant internet access. I don't have the time (or frankly the skills) to verify the contents of the containers beyond making sure that they come from reputable sources, but I would like to have a bit more peace of mind and make sure that things remain private and secure.
My setup at the moment is the following: I have a Synology DS923+ and I manage Docker containers with Synology's Container Manager, using docker compose files. I have so far put all containers into the same virtual network (perhaps something I need to think about), which is a separate IP range from my other devices, and has internet access through my DNS. I use Synology's DNS Server (for everything in my home network) and Reverse Proxy so that I can use local domain names and HTTPS. For HTTPS, I have made myself a certificate authority and created the necessary certificates and installed them on my devices. No ports are opened on the router and things like UPnP are turned off. I use Tailscale to access my home network when not at home. And while I have not yet done so, I have been considering setting up some firewall rules, for instance to restrict access to the DSM. I use 2FA for the NAS and its SSH is turned on only when I need to use it.