Docker daemon publicly accessible

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when multiple external connections are made to the port for the Docker daemon (2375 or 2376).

Strategy

Internet-accessible Docker daemons are a security risk. Authentication is not enabled by default: therefore, anyone can gain full access to the Docker daemon and, in turn, to the host system. Other internet-accessible services listening on these ports should be rare.

Triage and response

  1. Determine if the service running on the port is a Docker daemon.
  2. Review the downloaded images, running containers, and Docker logs for malicious activity.
  3. Move the Docker daemon to the default non-networked Unix socket. If you must expose the Docker daemon through a network socket, configure TLS authentication and restrict access with a security group.

This detection is based on data from Cloud Network Monitoring.