Port 2375 (TCP) – Docker Engine API (unencrypted)

What runs on port 2375?

Port 2375 exposes the Docker Engine remote API over plain HTTP. The API lets clients fully control the Docker daemon — create, start, and stop containers, mount host paths, and run arbitrary commands inside them. Crucially, on 2375 there is no authentication and no encryption. The intended secure variant, port 2376, wraps the same API in mutual TLS.

Why it matters for security

The Docker daemon runs as root, and the API can mount the host filesystem and launch privileged containers. So anyone who can reach an open 2375 effectively has root-equivalent remote code execution on the host — they can read every secret, escape to the host, and pivot across the fleet. This is one of the most dangerous exposures on the internet and is routinely mass-scanned by cryptomining botnets that deploy miners within seconds of finding an open daemon.

How it's attacked

Scanners hit 2375 and confirm it with the nmap docker-version script or a simple /version HTTP request. Once found, the attacker uses the API to run a privileged container that mounts the host root (/), drops a payload, and gains host root — then deploys cryptominers, steals credentials, or moves laterally. Container-breakout bugs like the runc flaw CVE-2019-5736 can compound the impact.

Hardening checklist

Never expose 2375. Prefer the local Unix socket (/var/run/docker.sock) over any TCP socket. If you genuinely need remote management, use 2376 with mutual TLS (--tlsverify), or bind to localhost behind an authenticated, audited reverse proxy. Lock the port down with firewall and security-group rules, run rootless Docker where feasible, and keep Docker and runc patched. Use the nmap snippet above to detect exposed daemons on systems you are authorized to assess.