Is it secure to expose port 9001 directly to the public internet?

[itning]

Ask a Question!

docker run -d \
  -p 9001:9001 \
  --name portainer_agent \
  --restart=always \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /var/lib/docker/volumes:/var/lib/docker/volumes \
  -v /:/host \
  portainer/agent:2.31.3

We deployed the agent using the following command, where port 9001 is open and accessible to anyone. Can any machine connect to the agent?

[itning]

If it is not secure, do we support a more secure method? For example, using a token?

[Nick-Portainer]

Hi @itning, the short answer is no but it can be more complex than this. Here is a blog post our CEO Neil created around this - https://www.portainer.io/blog/should-you-expose-portainer-or-agent-to-the-internet It's worth a read.

The standard Agent is designed for use WITHIN YOUR LAN/WAN, and the Edge Agent is designed to manage container environments connected to the public internet. If you are using our standard agent, and you have exposed it to the internet (by publishing port 9001 publically), then might we suggest that you rethink this strategy. If nothing else, you should have a firewall ACL in place that only allows access to port 9001 from trusted IPs (namely, the public IP of your Portainer instance). If you have 9001 exposed to the internet without any form of protection, you need to reconsider.

The Edge agent does not require ANY inbound ports, as it connects back to Portainer over the internet using a secure tunnel.. This is why its recommended whenever you have container environments remote that you need to connect to over the internet.