5 tips for avoiding exposure of Jenkins servers to the internet
If your DevOps team is running Jenkins servers in their cloud or on-prem environments, there are several simple steps that you can take:
- Disable self-registration
- A second best practice is to use SSO authentication rather than basic authentication
- When connecting remotely, only allow access to the server via VPN
- Use zero executors on master to prevent attackers from stealing sensitive information
- Don’t forget to disable the auto-discovery protocol if you do not use it. This will prevent attackers that managed to enter the network from finding the server.
In conclusion, continuous integration tools are connected to the company’s code base and repositories and therefore, can become a weak point in the company’s attack surface and a lucrative target for attackers. While in this blog post we focus on Jenkins, it is important to note that similar misconfigurations are common across many continuous integration tools (e.g. TeamCity, GitLab CI, Bamboo and others).
No matter which tool your team is using, the above mentioned tips are a good starting point for improving the cybersecurity hygiene of every development and DevOps teams.