I see various instances of ports 2375 and 4243 being used for seemingly the same thing while searching the internet. Also, my local machine requires I use 2375 to connect whereas when I push it to our CI server it requires it be set to 4243.
What does Docker use these ports for and how do they differ?
Port mapping is used to access the services running inside a Docker container. We open a host port to give us access to a corresponding open port inside the Docker container. Then all the requests that are made to the host port can be redirected into the Docker container.
It is conventional to use port 2375 for un-encrypted, and port 2376 for encrypted communication with the daemon. If you're using an HTTPS encrypted socket, keep in mind that only TLS1. 0 and greater are supported. Protocols SSLv3 and under are not supported anymore for security reasons.
Docker also finds ports you expose with --expose 8080 (assuming you want to expose port 8080). Docker maps all of these ports to a host port within a given epehmeral port range . You can find the configuration for these ports (usually 32768 to 61000) in /proc/sys/net/ipv4/ip_local_port_range .
The docker socket can be configured on any port with the dockerd -H
option. Common docker ports that I see include:
Only the first two are set with dockerd -H
, swarm mode can be configured as part of docker swarm init --listen-addr
or docker swarm join --listen-addr
.
I strongly recommend disabling the 2375 port and securing your docker socket. It's trivial to remotely exploit this port to gain full root access without a password from remote. The command to do so is as simple as:
docker -H $your_ip:2375 run -it --rm \
--privileged -v /:/rootfs --net host --pid host busybox
That can be run on any machine with a docker client to give someone a root shell on your host with the full filesystem available under /rootfs, your network visible under ip a
, and every process visible under ps -ef
.
To setup TLS security on the docker socket, see these instructions. https://docs.docker.com/engine/security/https/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With