Exposing administration services increases the attack surface of a container deployment. Administration services like SSH, VNC, or RDP may contain vulnerabilities, hard-coded credentials, or other security weaknesses. Modern container technologies provide built-in management capabilities that make running dedicated administration services inside containers unnecessary.
Docker provides built-in tools such as docker exec and docker cp for accessing and managing running containers, making
SSH and similar services unnecessary.
Even when an administration service port is not forwarded to the host, it is by default reachable from other containers on the same network. A malicious actor who compromises one container can exploit exposed administration services to pivot to other containers across the deployment.
When an administration service port is forwarded to the host system or exposed through an external load balancer, it becomes reachable from outside the container environment. An attacker can exploit vulnerabilities or weak credentials in services such as SSH to gain direct access to the container or the underlying host system.
Do not start any administration service in the container. If you need to access logs or execute commands in a running container, use docker
exec or docker cp from the host instead. Note that simply removing the EXPOSE instruction is not sufficient — the
port remains open and the service remains accessible from other containers on the same Docker network.
The following example uses EXPOSE 22, indicating that an SSH administration service is running inside the container.
FROM example-image EXPOSE 22 # Noncompliant CMD ["/usr/sbin/sshd", "-f", "/etc/ssh/sshd_config", "-D"]
FROM example-image