Port 2375: What's Using It and Is It Safe to Close?

Port 2375 is the Docker daemon’s remote API over unencrypted HTTP. It exists so other machines can control Docker, but because it has no encryption or authentication, an open 2375 is one of the more dangerous things you can have listening.

What typically listens on port 2375

• Docker daemon (remote API): Explicitly enabling the TCP socket on 2375 exposes the daemon.
• CI and tooling misconfigurations: Some setups open 2375 for convenience, often without realizing the risk.

On a Mac, Docker Desktop normally talks to the daemon over a local Unix socket, not 2375, so this port is usually closed unless something turned it on. The encrypted, authenticated equivalent is 2376.

Is it safe to close?

Yes, and you generally should. macOS and Docker Desktop don’t need 2375 for normal use. If it’s listening, a configuration explicitly enabled it. Disable the TCP socket in your Docker daemon settings to close it.

Is it suspicious?

This is a port where an unexpected listener is a genuine red flag. An open, unauthenticated 2375 gives anyone who can reach it full control of Docker, which is effectively root on the machine. It has been widely abused to deploy cryptominers and malware. If you see 2375 listening and didn’t deliberately set it up, treat it as urgent: identify the source and close it.

How to find what’s on port 2375 on macOS

lsof -i :2375

To check whether it’s reachable from outside, scan the host’s network address with a port scanner.

Portie shows port 2375 with its owning process locally, and its remote scanner can check whether a host is exposing the Docker API where it shouldn’t.