- You would like to disable Jenkins CLI to prevent remote access with it
- CloudBees Jenkins Enterprise
- CloudBees Jenkins Operations Center
Jenkins doesn’t provide an option to disable CLI. You have to disable that by:
- limiting accesses to the TCP port for CLI
- filtering out accesses to
CLI is accessed via “TCP port for JNLP slave agents”. It is defined randomly by default. You can bind that to a specific port in Global Security configuration, let’s say 20000. You can then disable the CLI by dropping accesses to that port:
iptables -A INPUT -p tcp --dport 20000 -j REJECT --reject-with icmp-port-unreachable
Be-aware that blocking accesses to that port prevents connections to Operations Center and JNLP slaves. You may want to tweak this rule to allow accesses from specific hosts.
Blocking JNLP port is not enough thought, as Jenkins CLI falls back to HTTP transport in that case. You also need to filter out HTTP request to
http://JENKINS/cli URL. This can be done with CloudBees Request Filter plugin.