Docker daemon publicly accessible

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1133-external-remote-services

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when multiple external connections are made to the port for the Docker daemon (2375 or 2376).

Strategy

Internet-accessible Docker daemons are a security risk. Authentication is not enabled by default: therefore, anyone can gain full access to the Docker daemon and, in turn, to the host system. Other internet-accessible services listening on these ports should be rare.

Triage and response

  1. Determine if the service running on the port is a Docker daemon.
  2. Review the downloaded images, running containers, and Docker logs for malicious activity.
  3. Move the Docker daemon to the default non-networked Unix socket. If you must expose the Docker daemon through a network socket, configure TLS authentication and restrict access with a security group.

This detection is based on data from Network Performance Monitoring.