Skip to content

Port 2375: Docker daemon (unsecured)

Key idea:

Port 2375 (TCP) is the standard for Docker daemon (unsecured). Port 2375 — Docker daemon REST API without TLS. 2376 — with TLS. Exposed 2375 on the public internet = instant full host compromise: attacker spins up a privileged container, m

Below: what uses this port, security considerations, online check, FAQ.

Check your host & ports →

What runs on this port

Docker daemon (unsecured)

Port 2375 — Docker daemon REST API without TLS. 2376 — with TLS. Exposed 2375 on the public internet = instant full host compromise: attacker spins up a privileged container, mounts / and owns root on the host. Shodan finds thousands of such servers.

Security considerations

CRITICAL: never expose 2375 publicly. Known crypto-mining botnets scan 2375 24/7. Use 2376 + TLS + client cert auth, or Unix socket /var/run/docker.sock locally.

Check this port online

Check port online →

Enterno.io Ping + Port checker tests TCP reachability of any port from 3 regions (Moscow / Frankfurt / Virginia).

Understanding Port 2375: Risks and Vulnerabilities

Port 2375 is the default port for the Docker daemon when it is configured to communicate over TCP without encryption. This configuration exposes the Docker API to the public internet, allowing anyone who can access this port to send commands directly to the Docker daemon. The risks associated with this exposure are severe, as an attacker can manipulate the Docker environment, potentially leading to a full host compromise.

When the Docker daemon is accessible on port 2375, it lacks authentication and encryption, making it an easy target for malicious actors. They can execute commands such as:

  • docker run -it --privileged — This command allows an attacker to run a container with elevated privileges, enabling them to access the host system.
  • docker exec -it /bin/bash — This command can give an attacker a shell inside a running container, facilitating further exploitation.
  • docker rm -f $(docker ps -aq) — An attacker can remove all containers, leading to data loss or service disruption.

Given these risks, it is essential to secure the Docker daemon by using port 2376, which offers TLS encryption, or by implementing network security measures such as firewalls and VPNs to restrict access.

How to Secure Docker Daemon on Port 2375

Securing the Docker daemon and preventing unauthorized access to port 2375 is crucial for maintaining the integrity of your systems. Here are several strategies to enhance security:

  • Use TLS: Configure the Docker daemon to use TLS by listening on port 2376. This ensures that all communications are encrypted and authenticated. You can set this up by generating TLS certificates and configuring the Docker daemon as follows:
dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376
  • Restrict IP Access: Use firewall rules to restrict access to the Docker daemon. For example, only allow connections from trusted IP addresses:
iptables -A INPUT -p tcp --dport 2375 -s  -j ACCEPT
  • Use a Reverse Proxy: Place a reverse proxy (like Nginx) in front of the Docker daemon to manage access and enforce additional security measures.

Implementing these measures will significantly reduce the risk of unauthorized access and protect your Docker environment from potential attacks.

Monitoring Port 2375: Tools and Techniques

Monitoring port 2375 is essential for detecting unauthorized access and maintaining the security of your Docker environment. Here are some effective tools and techniques for monitoring this port:

  • Network Monitoring Tools: Utilize tools like Wireshark or tcpdump to capture and analyze traffic on port 2375. This can help identify suspicious activity:
tcpdump -i any port 2375
  • Intrusion Detection Systems (IDS): Implement IDS solutions such as Snort or Suricata to detect and alert on unusual traffic patterns targeting port 2375.
  • Docker Logging: Enable Docker’s logging capabilities to keep track of API requests. You can set up logging by configuring the Docker daemon:
  • dockerd --log-level=info
    • Regular Audits: Conduct regular security audits to review access logs and detect any unauthorized attempts to access port 2375.

    By implementing these monitoring techniques, you can gain better visibility into your Docker environment, quickly identify potential threats, and take timely action to mitigate risks.

    Learn more

    Sources

    Frequently Asked Questions

    Is port 2375 open by default?

    No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 2375 in a Security Group or firewall.

    How to check if port 2375 is reachable?

    Use <a href="/en/ping">Enterno Ping + Port Checker</a>. Or in shell: <code>nc -vz example.com 2375</code>.

    Is port 2375 safe to expose?

    Depends on the service. Docker daemon (unsecured) should never be exposed publicly without authentication + TLS. See <a href="/en/s/research-open-ports-exposure-2026">our 2026 exposure research</a>.

    Try the live tool that powered this guide

    Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.