Rancher opens a port to the world when adding an EC2 host

I noticed rancher opened a security port, something like 236x something. I read that it is a docker port. It is open to the world. Once my node is up and running, can I delete that rule? I don’t know what someone could do with that port, being open to the world.


Is this with rancher 2.0 or 1.6?

22/tcp (SSH) and 2376/tcp (TLS Docker remote API) are (unconditionally) opened by docker-machine to connect to the node and install docker, and then to check that it’s up.

On its own, you can’t do anything with it. With the corresponding client-certificate (from the “Dowload machine config” or “Download Keys” action on the host/node) you can point a remote docker client (like the CLI on your workstation) at it and do anything docker can do (i.e. root on the instance).

You can remove it after the node is up, but every node add is going to re-add it… We don’t actually need the port at all but haven’t removed enough of the other logic in machine to not need it open on create.