Bamboo 云代理用户账号安全存疑

Question

在 Windows 上使用 Bamboo 云代理时，您是 instructed拥有一个具有默认已知密码的 Bamboo Windows 用户:Atlassian1。

它明确表示应该将此用户配置为拒绝远程登录。

但是，它仍然是具有相当多权限的活跃 Windows 用户。 Bamboo 的服务器(云)在已知端口 - 26224 中与机器交互。它通过此 channel 发送所有构建命令，从远程代理获取构建状态等。

是什么阻止了黑客扫描 Internet，找到打开了端口 26224 的主机并开始与 Bamboo 代理对话？代理如何确定它与合法的 Bamboo CI 服务器对话？ ？

我问这个是为了完全确信没有可能的攻击媒介。

Answer 1

Security documentation对于 Bamboo 状态:

Please note the following security implications when enabling remote agents for Bamboo:

• No encryption of data passed between server and agent — this includes data such as:

  • login credentials for version control repositories

  • build logs

  • build artifacts

• No authentication of the agent or server — this could result in unauthorised actions being taken on your system, such as:

  • Unauthorised parties installing new remote agents — version control repository login credentials could be stolen.

  • Unauthorised parties masquerading as a Bamboo server — the unauthorised server could pass malicious code to the agent to run.

  • See Agent authentication for more information.

We strongly recommend that you do not enable remote agent installation on any Bamboo instance accessible from a public or untrusted network. Creating remote agents is Disabling and enabling remote agents support by default.

对于面向公众的代理，Atlassian 强烈建议使用 SSL 保护它们。参见 Securing your remote agents其中包含此注释:

This page applies to remote agents and not elastic agents. Elastic agents are secured automatically by the Bamboo server and no additional steps are required.

关于 Elastic Piece，他们在 Elastic Bamboo Security 上的文档状态:

All traffic sent between the agents located in EC2 and the Bamboo server is tunnelled through an SSL-encrypted tunnel. The tunnel will be initiated from the Bamboo Server to the EC2 instance, which means that you don't need to allow any inbound connections to your server. You will need to permit outbound traffic from the server on the tunnel port, however - the default port number is 26224. On the EC2 instance, only the tunnel port needs to be open for inbound traffic.