Docker daemon publicly accessible

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1133-external-remote-services

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when multiple external connections are made to the port for the Docker daemon (2375 or 2376).

Strategy

Internet-accessible Docker daemons are a security risk. Authentication is not enabled by default: therefore, anyone can gain full access to the Docker daemon and, in turn, to the host system. Other internet-accessible services listening on these ports should be rare.

Triage and response

  1. Determine if the service running on the port is a Docker daemon.
  2. Review the downloaded images, running containers, and Docker logs for malicious activity.
  3. Move the Docker daemon to the default non-networked Unix socket. If you must expose the Docker daemon through a network socket, configure TLS authentication and restrict access with a security group.

This detection is based on data from Network Performance Monitoring.