How do I disable Jenkins CLI

Issue

  • You would like to disable Jenkins CLI to prevent remote access with it

Environment

  • CloudBees Jenkins Enterprise
  • CloudBees Jenkins Operations Center

Resolution

Jenkins doesn’t provide an option to disable CLI. You have to disable that by:

  • limiting accesses to the TCP port for CLI
  • filtering out accesses to http://JENKINS/cli URL

CLI is accessed via “TCP port for JNLP slave agents”. It is defined randomly by default. You can bind that to a specific port in Global Security configuration, let’s say 20000. You can then disable the CLI by dropping accesses to that port:

iptables -A INPUT -p tcp --dport 20000 -j REJECT --reject-with icmp-port-unreachable

Be-aware that blocking accesses to that port prevents connections to Operations Center and JNLP slaves. You may want to tweak this rule to allow accesses from specific hosts.

Blocking JNLP port is not enough thought, as Jenkins CLI falls back to HTTP transport in that case. You also need to filter out HTTP request to http://JENKINS/cli URL. This can be done with CloudBees Request Filter plugin.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.