A interesting analyze of a intrusion capability, that seems to use the wrong conclusion:
> What is really important (and documented)6 is that this registration does not persist across reboots of the portainer agent. This effectively means that a portainer agent with its port 9001 exposed may be taken over after a reboot if an attacker connects before the legitimate Portainer server.
What the documentation really states:
> For security reasons, the Edge server UI will shutdown after 15 minutes if no key has been specified. The agent will require a restart in order to access the Edge UI again.
In other words, if a user installs the Edge Agent and does not connect to it, it will shutdown after 15 minutes. And if a serve or the docker agent restarts, it will again be exposed for 15 minutes.
In non-agent mode, the agent will use a digital signature or secret for communication.
If it was registered, it does not lose its persistent registration on a reboot (of the portainer agent). Author seems to have mixed up a few things.
Yes, if you install the portainer agent and never register it, its exposed for a while and IF you reboot your server/docker agent, it will again be exposed (for a while). But its not exposed if properly registered and rebooted server/agent.
For the rest, interesting article over the infection.
> What is really important (and documented)6 is that this registration does not persist across reboots of the portainer agent. This effectively means that a portainer agent with its port 9001 exposed may be taken over after a reboot if an attacker connects before the legitimate Portainer server.
What the documentation really states:
> For security reasons, the Edge server UI will shutdown after 15 minutes if no key has been specified. The agent will require a restart in order to access the Edge UI again.
In other words, if a user installs the Edge Agent and does not connect to it, it will shutdown after 15 minutes. And if a serve or the docker agent restarts, it will again be exposed for 15 minutes.
In non-agent mode, the agent will use a digital signature or secret for communication.
If it was registered, it does not lose its persistent registration on a reboot (of the portainer agent). Author seems to have mixed up a few things.
Yes, if you install the portainer agent and never register it, its exposed for a while and IF you reboot your server/docker agent, it will again be exposed (for a while). But its not exposed if properly registered and rebooted server/agent.
For the rest, interesting article over the infection.