How to remove public version information from Jenkins

389 views
Skip to first unread message

VictoriaB

unread,
Apr 6, 2017, 3:52:42 AM4/6/17
to Jenkins Developers


Is there any way to remove the version information displayed publicly on Jenkins? For security reasons we do not want to give version information to anyone not requiring it.

Robert Sandell

unread,
Apr 6, 2017, 5:12:22 AM4/6/17
to jenkin...@googlegroups.com
The version displayed in the footer is just one of the information points available for identifying what version of Jenkins you are running, there are also http headers and other behavioral indicators thet can't really be obscured.


/B

On Thu, Apr 6, 2017 at 9:52 AM, VictoriaB <panda...@gmail.com> wrote:


Is there any way to remove the version information displayed publicly on Jenkins? For security reasons we do not want to give version information to anyone not requiring it.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/568f3a09-c52f-472a-a870-ead6f3628ed8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Robert Sandell
Software Engineer
CloudBees Inc.

Daniel Beck

unread,
Apr 6, 2017, 9:30:17 AM4/6/17
to jenkin...@googlegroups.com

> On 06.04.2017, at 11:12, Robert Sandell <rsan...@cloudbees.com> wrote:
>
> https://en.wikipedia.org/wiki/Security_through_obscurity

Doing this can conceivably be part of a defense-in-depth strategy that tries to slow down potential attacker by making information gathering as difficult as possible.

That said, Jenkins has any number of characteristics that help identify version beside the version in the footer (e.g. X-Jenkins headers, or checksums of accessible JS and CSS files which can be compared to those in the public Git repo), and is fairly well-known, so it shouldn't be difficult to write a tool to help identify at least an approximate version.

So, doing anything like this properly would be lots of work, and wouldn't accomplish a lot.

If you're this concerned about security, I recommend you set up a reverse proxy based authentication and only allow access to any Jenkins URL (including otherwise unsecured ones) once a user successfully authenticated.

Reply all
Reply to author
Forward
0 new messages