Should you expose Portainer (or Agent) to the Internet??

by Neil Cresswell, on December 19, 2021

This is a question we get asked over and over, and its likely that for the 10 that ask the question, there are another 1000 that dont ask, and just do..

So, should you expose Portainer (or our agent) to the Internet..

Well, if you want the short answer, its NO... but for the longer answer, read on.

Portainer is an administrative tool with a very high degree of privilege and access to your container environent; as a result, access TO Portainer itself should be strictly controlled. If you are familiar with VMware, ask yourself, would you expose vCenter direct to the internet? I think not. How about your Cloud Provider portals, would you expect the cloud provider to allow logins without some form of 2 factor authentication in front of their UI or API? Nope..

Its with shock that we note the Shodan.io tool lists 5,710 instances of the Portainer Agent exposed to the internet, and a staggering 31,677 instances of Portainer itself. Remember this tool also shows the IP addresses listening on these Ports, so think long and hard as to whether you want/need your instances public.

Portainer has two agents; our standard agent, and our edge agent (as shown below).

The standard Agent is designed for use WITHIN YOUR LAN/WAN, and the Edge Agent is designed to manage container environments connected to the public internet. If you are using our standard agent, and you have exposed it to the internet (by publishing port 9001 publically), then might we suggest that you rethink this strategy. If nothing else, you should have a firewall ACL in place that only allows access to port 9001 from trusted IPs (namely, the public IP of your Portainer instance). If you have 9001 exposed to the internet without any form of protection, you need to reconsider. 

The Edge agent does not require ANY inbound ports, as it connects back to Portainer over the internet using a secure tunnel.. This is why its recommended whenever you have container environments remote that you need to connect to over the internet.

Now, in regards to exposing Portainer (HTTP:9000 / HTTPS:9443); please make sure you are using our External Authentication capability and integrate Portainer with a trusted authentication provider that includes 2FA (eg Github Auth, Google Auth, Azure Auth).. you should never rely on JUST a password for something as critical as Portainer. This external auth is included for free in Portainer CE (oAUTH, Custom) - see docs.portainer.io if you need guidance on how to configure this.

In an upcoming version of Portainer (2.11.1) we will be making (likely breaking) changes to the regular agent to bolster its security, as we need to provide additional protection for those not following the above recommendations.

Neil

 

See for yourself with a live online Portainer Business demo

Let us introduce you to a world of fast and easy app deployment, governance, and management in Docker/Swarm and Kubernetes. Schedule a demo with our tech team and see how Portainer's container service delivery platform can make everyone's life easier.

REQUEST A PORTAINER BUSINESS DEMO

Comments