Skip to content
PortsDB

Port reference

Port 2376 (TCP) – Docker Engine API (TLS)

Docker Engine remote API over TLS — controls containers, images, and volumes on a Docker host.

tcpRegisteredCommonly attacked

Default state

Open when the Docker daemon is configured for TLS remote access; the secured counterpart of plaintext 2375.

Common attacks

  • Abuse of misconfigured TLS without client-certificate auth
  • Container escape to host via privileged/bind-mount runs
  • Image and secret theft through the remote API
  • Cryptojacking by launching attacker containers

Hardening

  • Require mutual TLS (verify client certificates, tlsverify)
  • Never expose the Docker API to the internet
  • Restrict access to trusted management hosts and IPs
  • Rotate and protect CA/server/client certificates
  • Prefer SSH or a socket proxy over a raw TCP API

nmap snippet

nmap -p2376 --script ssl-cert <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 2376?

Port 2376 is the TLS-secured Docker Engine remote API. It is the encrypted counterpart of plaintext 2375 and lets a remote client (the docker CLI, CI systems, orchestration tools) manage containers, images, volumes, and networks on a Docker host. Properly configured, it requires mutual TLS so only clients holding a valid certificate can issue commands.

Why it matters for security

The Docker API is root-equivalent on the host. Any client that can reach it can launch a privileged container that bind-mounts / and read or write the host filesystem as root — a direct path to host RCE. The TLS on 2376 only helps if client-certificate verification (--tlsverify) is actually enforced; a misconfigured daemon that skips client auth is just as exposed as plaintext 2375.

How it's attacked

Attackers scan for the API and check whether client certs are enforced. Where auth is missing or TLS is misconfigured, they call the API to run a privileged container that mounts the host and escapes to root, steal images and secrets, or deploy cryptojacking workloads.

Hardening checklist

Require mutual TLS with --tlsverify so client certificates are validated, and never expose the API to the internet. Restrict access to trusted management hosts by IP, rotate and protect the CA, server, and client certificates, and prefer the SSH transport or a hardened socket proxy over a raw TCP API. Use the nmap snippet above to inspect the TLS certificate on hosts you are authorized to test.

Related ports

Port 2375Port 2377Port 6443Port 22

Frequently asked questions

How is port 2376 different from 2375?
2375 is the plaintext, unauthenticated Docker API — extremely dangerous if exposed. 2376 is the TLS port and is meant to require client-certificate authentication, but only if tlsverify is configured.
Why does an exposed Docker API mean host compromise?
The API can launch a privileged container that bind-mounts the host filesystem, giving root on the host. Anyone who can call the API effectively owns the machine.