竹云代理用户账号安全存疑
Bamboo cloud agent's user account security questionable
使用 Bamboo 云代理时,在 Windows,您 instructed 拥有一个 Bamboo Windows 用户,其默认密码已知:Atlassian1.
它明确表示应该将此用户配置为拒绝远程登录。
但是,它仍然是一个活跃的 Windows 用户,拥有相当多的权限。 Bamboo 的服务器(云)在已知端口 - 26224 中与机器交互。通过此通道,它发送所有构建命令,从远程代理获取构建状态等。
是什么阻止了黑客扫描 Internet,找到打开了端口 26224 的主机并开始与 Bamboo 代理对话?代理如何确定它与合法的 Bamboo CI 服务器?
我问这个是为了完全确信没有可能的攻击向量。
Bamboo 的 Security documentation 状态:
Please note the following security implications when enabling remote agents for Bamboo:
No encryption of data passed between server and agent — this includes data such as:
login credentials for version control repositories
build logs
build artifacts
No authentication of the agent or server — this could result in unauthorised actions being taken on your system, such as:
Unauthorised parties installing new remote agents — version control repository login credentials could be stolen.
Unauthorised parties masquerading as a Bamboo server — the unauthorised server could pass malicious code to the agent to run.
- See Agent authentication for more information.
We strongly recommend that you do not enable remote agent installation on any Bamboo instance accessible from a public or untrusted network. Creating remote agents is Disabling and enabling remote agents support by default.
对于 public 面向代理,Atlassian 强烈建议 使用 SSL 保护它们。请参阅包含此注释的 Securing your remote agents:
This page applies to remote agents and not elastic agents. Elastic agents are secured automatically by the Bamboo server and no additional steps are required.
关于 Elastic Piece,他们关于 Elastic Bamboo Security 的文档指出:
All traffic sent between the agents located in EC2 and the Bamboo server is tunnelled through an SSL-encrypted tunnel. The tunnel will be initiated from the Bamboo Server to the EC2 instance, which means that you don't need to allow any inbound connections to your server. You will need to permit outbound traffic from the server on the tunnel port, however - the default port number is 26224. On the EC2 instance, only the tunnel port needs to be open for inbound traffic.
使用 Bamboo 云代理时,在 Windows,您 instructed 拥有一个 Bamboo Windows 用户,其默认密码已知:Atlassian1.
它明确表示应该将此用户配置为拒绝远程登录。
但是,它仍然是一个活跃的 Windows 用户,拥有相当多的权限。 Bamboo 的服务器(云)在已知端口 - 26224 中与机器交互。通过此通道,它发送所有构建命令,从远程代理获取构建状态等。
是什么阻止了黑客扫描 Internet,找到打开了端口 26224 的主机并开始与 Bamboo 代理对话?代理如何确定它与合法的 Bamboo CI 服务器?
我问这个是为了完全确信没有可能的攻击向量。
Bamboo 的 Security documentation 状态:
Please note the following security implications when enabling remote agents for Bamboo:
No encryption of data passed between server and agent — this includes data such as:
login credentials for version control repositories
build logs
build artifacts
No authentication of the agent or server — this could result in unauthorised actions being taken on your system, such as:
Unauthorised parties installing new remote agents — version control repository login credentials could be stolen.
Unauthorised parties masquerading as a Bamboo server — the unauthorised server could pass malicious code to the agent to run.
- See Agent authentication for more information.
We strongly recommend that you do not enable remote agent installation on any Bamboo instance accessible from a public or untrusted network. Creating remote agents is Disabling and enabling remote agents support by default.
对于 public 面向代理,Atlassian 强烈建议 使用 SSL 保护它们。请参阅包含此注释的 Securing your remote agents:
This page applies to remote agents and not elastic agents. Elastic agents are secured automatically by the Bamboo server and no additional steps are required.
关于 Elastic Piece,他们关于 Elastic Bamboo Security 的文档指出:
All traffic sent between the agents located in EC2 and the Bamboo server is tunnelled through an SSL-encrypted tunnel. The tunnel will be initiated from the Bamboo Server to the EC2 instance, which means that you don't need to allow any inbound connections to your server. You will need to permit outbound traffic from the server on the tunnel port, however - the default port number is 26224. On the EC2 instance, only the tunnel port needs to be open for inbound traffic.