Skip to content
PortsDB

Port reference

Port 2379 (TCP) – etcd Client API

Default client API port for etcd, the distributed key-value store behind Kubernetes.

tcpRegisteredCommonly attacked

Default state

etcd can be configured to listen on 0.0.0.0:2379 without client certificate authentication. Misconfigured clusters expose the entire key-value store, including every Kubernetes secret, to anyone who can reach the port.

Common attacks

  • Unauthenticated reads that dump all Kubernetes secrets and cluster state
  • Full cluster compromise by extracting service-account tokens and credentials
  • Tampering with cluster state by writing arbitrary keys
  • Information disclosure of configmaps, certificates, and topology

Hardening

  • Bind to localhost or a private interface; never expose 2379 to the internet
  • Require client and peer certificate authentication (mutual TLS)
  • Enable RBAC and encryption-at-rest for etcd data
  • Firewall 2379 to control-plane nodes and the Kubernetes API server (6443) only
  • Keep etcd patched and audit access

nmap snippet

nmap -p2379 --script http-title <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 2379?

Port 2379 is the default client API port for etcd, the distributed key-value store that backs Kubernetes. The API server and other clients read and write cluster state over 2379, while peer traffic between etcd members uses 2380. etcd holds the authoritative copy of everything the cluster knows.

Why it matters for security

etcd stores all Kubernetes state, including every secret, service-account token, and certificate. If 2379 is reachable without client-certificate authentication, anyone who connects can read the entire store. That is effectively full cluster compromise: extracted tokens let an attacker take over the Kubernetes API server on 6443 and the workloads behind it.

How it's attacked

Attackers scan for open 2379 and issue unauthenticated reads to dump all keys, harvesting secrets and credentials. They can also write arbitrary keys to tamper with cluster state, inject configuration, or escalate privileges across the cluster.

Hardening checklist

Bind etcd to localhost or a private interface and keep 2379 off the public internet. Require mutual TLS with client and peer certificates, enable RBAC and encryption-at-rest, and firewall 2379 so only control-plane nodes and the API server (6443) can reach it. Patch regularly and audit access. Use the nmap snippet above to detect exposed instances on hosts you are authorized to test.

Related ports

Port 9200Port 27017Port 6379Port 8086

Frequently asked questions

Why is an exposed etcd port so dangerous?
etcd stores all Kubernetes state, including every secret and service-account token. Unauthenticated read access to 2379 means full cluster compromise: an attacker can dump credentials and take over the Kubernetes API on 6443.
How should etcd be protected?
Bind to a private interface, require mutual TLS with client certificates, enable RBAC and encryption-at-rest, and firewall 2379 so only control-plane nodes and the API server can reach it.