Bamboo Cloud Agent User Account Security
When using cloud Bamboo agent in Windows, you have specified to be Bamboo
a Windows user with a known default password: Atlassian1
.
It clearly states that this user should be configured to refuse remote login.
But he is still an avid Windows user with an honest set of permissions. The bamboo server (cloud) communicates with the machine on the well-known port 26224. Through this channel it sends all build commands, receives build status from the remote agent, and so on.
What's stopping a hacker from scanning the Internet, finding a host with port 26224, and starting a conversation with a Bamboo agent? ... How the agent knows exactly what it is talking to a legitimate Bamboo CI server
I ask this to be completely sure there is no possible attack vector.
source to share
Safety documentation for bamboo states:
Please note the following security implications when enabling remote agents for Bamboo:
No encryption of data transmitted between the server and the agent - this includes data such as:
credentials for version control repositories
build logs
collecting artifacts
No agent or server authentication - this can lead to unauthorized actions being taken on your system, for example:
Unauthorized parties installing new remote agents - The credentials to log into the source control repository can be stolen.
Unauthorized parties masquerading as a Bamboo server - An unauthorized server can transmit malicious code to an agent to run.
- For more information, see. The agent authentication .
We strongly recommend that you do not enable remote agent installation on any Bamboo that is accessible from a public or untrusted network. Remote agent creation is to disable and enable remote agent support by default.
For public agents, Atlassian strongly recommends protecting them that run using SSL. See Securing Your Remote Agents for this note:
This page applies to remote agents, not elastic agents. Elastic agents are automatically secured by the Bamboo server and no additional steps are required.
In addition to Elastic Piece, their Elastic Bamboo Security documentation says:
All traffic sent between agents located in EC2 and the Bamboo server is tunneled through an SSL encrypted tunnel. The tunnel will be initiated from the Bamboo server to the EC2 instance, which means you don't need to allow incoming connections to your server. However, you need to allow outbound traffic from the server on the tunnel port β the default port number is 26224. On the EC2 instance, only the tunnel port should be open for inbound traffic.
source to share