How does Docker use ports 2375 and 4243?
I see various instances of ports 2375 and 4243 that appear to be in use when searching the internet. Also, my local machine requires me to use 2375 to connect, whereas when I push it to our CI server it should be set to 4243.
What does Docker use for these ports and how are they different?
source to share
Docker socket can be configured on any port with the option dockerd -H
. Common docker ports I see include:
- 2375: unencrypted docker socket, no password remote access to host.
- 2376: ts encrypted socket, most likely this is your CI servers port 4243 as a modification of https port 443
- 2377: swarm mode, for swarm managers, not docker clients
- 5000: docker registration service
- 4789 and 7946: overlay network.
Only the first two are specified with dockerd -H
, swarm mode can be configured as part of docker swarm init --listen-addr
or docker swarm join --listen-addr
.
I highly recommend disabling port 2375 and protecting your dock connector. It is trivial to use this port for remote access in order to get full root access without a password from the remote. The command to do this is as simple as:
docker -H $your_ip:2375 run -it --rm \
--privileged -v /:/rootfs --net host --pid host busybox
This can be run on any machine with a docker client to provide someone with a root shell on your host with the full filesystem accessible under / rootfs, your network is visible under ip a
and every process is displayed under ps -ef
.
See these instructions to configure TLS security in the docking station slot. https://docs.docker.com/engine/security/https/
source to share