🐳

Docker API Honeypot

Detect unauthorized access attempts targeting Docker daemon APIs.

2375

Default Port

HTTP

Protocol

Token

Detection

About Docker API

The Docker daemon API allows remote management of containers, images, and volumes. An exposed Docker API is one of the most critical security vulnerabilities, as it can give attackers full control over the host system through container escape techniques. Attackers actively scan for exposed Docker APIs to deploy cryptominers and backdoors.

What Gets Captured

When an attacker attempts to connect using your Docker API honeypot credentials, Tripwires captures:

Request path - The API endpoint accessed (contains the detection token)
Source IP - The attacker's IP address
Timestamp - Exact time of the request
User-Agent - The HTTP client identification

Connection Formats

Docker API endpoints can be planted in various formats depending on your tech stack:

Docker CLI

docker -H tcp://docker-xxx.gettripwires.com:2375 ps

curl

curl http://docker-xxx.gettripwires.com:2375/v1.41/containers/json

Docker Compose (DOCKER_HOST)

export DOCKER_HOST=tcp://docker-xxx.gettripwires.com:2375
docker-compose up -d

Python (docker SDK)

import docker
client = docker.DockerClient(base_url='tcp://docker-xxx.gettripwires.com:2375')
client.containers.list()

Strategic Placement Ideas

CI/CD Pipeline Configs

Leave as 'build server' Docker host in CI/CD configuration files.

Container Registry Docs

Add as 'staging registry' endpoint in container deployment documentation.

Infrastructure Scripts

Include as 'container orchestration' endpoint in deployment scripts.