Docker daemon publicly accessible
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when multiple external connections are made to the port for the Docker daemon (2375 or 2376).
Strategy
Internet-accessible Docker daemons are a security risk. Authentication is not enabled by default: therefore, anyone can gain full access to the Docker daemon and, in turn, to the host system. Other internet-accessible services listening on these ports should be rare.
Triage and response
- Determine if the service running on the port is a Docker daemon.
- Review the downloaded images, running containers, and Docker logs for malicious activity.
- Move the Docker daemon to the default non-networked Unix socket. If you must expose the Docker daemon through a network socket, configure TLS authentication and restrict access with a security group.
This detection is based on data from Cloud Network Monitoring.