Docker daemon publicly accessible

Goal

Detect when multiple external connections are made to the port for the Docker daemon (2375 or 2376).

Strategy

Internet-accessible Docker daemons are a security risk. Authentication is not enabled by default: therefore, anyone can gain full access to the Docker daemon and, in turn, to the host system. Other internet-accessible services listening on these ports should be rare.

Triage and response

  1. Determine if the service running on the port is a Docker daemon.
  2. Review the downloaded images, running containers, and Docker logs for malicious activity.
  3. Move the Docker daemon to the default non-networked Unix socket. If you must expose the Docker daemon through a network socket, configure TLS authentication and restrict access with a security group.

This detection is based on data from Network Performance Monitoring.