Security issue allowing Teamcity to Internet access (flood agent registery)

Answered

Is there any way to block new agent registed as 'Unauthorized' server by a configuration?

Protential risk when enable the internet access to the TeamCity is, attacker could flood the 'Unauthorized' agent by reigster dummy agent with differet names.

May I assume there's no any authorization required before an agent client registered?

 

Thanks,

-Steven

3 comments
Comment actions Permalink

When an unauthorized agent connects to a TeamCity server, it will not be able to run any builds until it is assigned a unique Authorization Token. This token is automatically generated by the TeamCity server when the agent is authorized and is stored in the buildAgent.properties file for the build agent.

However, if I understand your concern correctly, you are more concerned that someone with malicious intent could continuously spam the Unauthorized Agent listing on the TeamCity server (potentially a DoS attack scenario?). Since TeamCity does not contain any built-in feature to prevent such an attack, it is important to implement some preventative measures when the TeamCity server is exposed to the internet or otherwise in a position to be a target of such an attack.

There are a few ways to go about preventing this from occurring, such as using a reverse proxy with a whitelist between the agent and server connection, adding a firewall in front of the TeamCity server, or adding an Access Control List to your router.

If your TeamCity server is in an environment where security is a concern, it would also be a good practice to secure the connection between the agent and server using HTTPS and to plan for regular updates to your TeamCity server to ensure you always have the latest bug fixes and security patches.

Please see our list of security notes in our documentation for other areas that you may want to pay attention to: https://www.jetbrains.com/help/teamcity/security-notes.html

0
Comment actions Permalink

hi Eric,

That's correct, my concern is a DDOS-liked attack.

With an setup that open to internet, it's hardly able to whitelist the build server's IP address. May I assume the build agents uses standard restful API to communicate with the server?  HTTPs will not help neither in this kind of attacking.

Unless there's specific endpoint that can be blocked from registering new build agent.

The other way is to have a configuration that stop register new build agents.

 

Thanks,

-Steven

 

 

0
Comment actions Permalink

There is currently no way to completely disable new agent connections within TeamCity, however I've created a feature request for you here: https://youtrack.jetbrains.com/issue/TW-73005. We use our YouTrack site to determine which features are included in future releases. I would encourage you to take a look and vote/comment to show your interest.

Normally, the whitelist would contain the IP addresses of the build agents. This would allow only whitelisted IP addresses to reach the TeamCity server. 

You're correct that HTTPS will not help with this type of attack, but it does help to protect the connection between the agent and server. This is highly recommended when the connection between the agent and server is over the internet and usually in many other cases as well.

We cover the agent communication protocols in our documentation here: https://www.jetbrains.com/help/teamcity/setting-up-and-running-additional-build-agents.html#Agent-Server+Data+Transfers.

 

0

Please sign in to leave a comment.