Docker Swarm Join Token
Service Name: Docker Swarm
Service Description: Docker Swarm is Docker's native clustering and orchestration solution that turns a group of Docker hosts into a single virtual host, allowing containers to be deployed across multiple machines.
Service Address: https://docs.docker.com/engine/swarm/
Validation Type: -
IP Allow list: IP restrictions can be configured at the Docker daemon level using TLS certificates and firewall rules.
Secret Access Scope: Grants the ability to join a node to an existing Docker Swarm cluster as either a manager or worker node.
Secret Revokement URL: Does not exist (tokens can be rotated using dockerswarmjoin-token--rotate)
Secret Example: SWMTKN-1- 49nj1cmql0jkz5s954yi3oex3nedyz0fb0xx14ie39trti4wxv- 8vxv8rssmk743ojnwacrr2e7c
Suspicious Activity Investigation Instructions:
- Check Docker Swarm manager nodes for unauthorized node joins
- Review Docker logs for suspicious join attempts
- Monitor network traffic to swarm management ports (2377/tcp)
- Verify the list of nodes in the swarm using docker node ls command
- Examine audit logs for unexpected container deployments across the swarm
Mitigation Instructions:
- Rotate the compromised join token immediately using
docker swarm join-token --rotate [worker|manager] - Remove any unauthorized nodes from the swarm using
docker node rm [NODE_ID] - Implement proper network segmentation and firewall rules to restrict access to swarm ports
- Configure TLS authentication for Docker daemon communications
- Consider implementing additional authentication mechanisms like client certificates
- Review and update Docker daemon configuration to enhance security
- Implement regular token rotation as part of security practices