Skip to content

Instantly share code, notes, and snippets.

@alexbilbie

alexbilbie/jenkins.md

Forked from skl/jenkins.md
Created August 13, 2013 14:36
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save alexbilbie/6221708 to your computer and use it in GitHub Desktop.
Save alexbilbie/6221708 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
jenkins.md

Creating a new Jenkins Server

First step, make sure java -version reports 1.6 or higher. If the command fails or the version isn't high enough, download the latest version of Java JDK from Oracle (http://www.oracle.com/technetwork/java/javase/downloads/index.html) (jdk-7u25-linux-x64.tar.gz at the time of writing) - a quick uname -m will let you know if you need the 32 or 64bit version. Installation instructions are available here (http://docs.oracle.com/javase/7/docs/webnotes/install/linux/linux-jdk.html#install-64).

My preference is to extract these to /usr/local and then ln -s /usr/local/jdk1.7.0_25 /usr/local/jdk.

Add /usr/local/jdk/bin to your $PATH.

Download the latest Jenkins WAR (1.519 currently) file from http://mirrors.jenkins-ci.org/war/latest/.

Create the jenkins home directory:

mkdir /var/jenkins
ln -s /var/jenkins /home/jenkins
chown jenkins:linux_developers /var/jenkins
chown jenkins:linux_developers jenkins.war
mv jenkins.war /var/jenkins

Jenkins init script:

#!/bin/bash
 
### BEGIN INIT INFO
# Provides:          jenkins
# Required-Start:    $remote_fs $network
# Required-Stop:     $remote_fs $network
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: starts jenkins
# Description:       An extendable open source continuous integration server
# ### END INIT INFO
 
PID=`ps -ef | grep jenkins.war | grep -v grep | awk '{print $2}'`
 
case $1 in "start")
        echo -n "Starting Jenkins... "
        su jenkins -c 'nohup /usr/local/jdk/bin/java -jar /var/jenkins/jenkins.war --httpPort=8080 > /var/jenkins/jenkins.log 2>/dev/null &'
        echo "Done."
        ;;
 
        "stop")
        echo -n "Stopping Jenkins... "
        [ ! -z "$PID" ] && kill $PID || echo "Could not find process ID!"
        ;;
 
        "restart")
        $0 stop
        $0 start
        ;;
 
        "status")
        ps -ef | grep jenkins.war | grep -v grep || echo "Jenkins is not running."
        ;;
 
        *)
        echo "Usage: service jenkins <start|stop|status|restart>"
esac

iptables:

*nat
:PREROUTING ACCEPT [4:463]
:POSTROUTING ACCEPT [18:1242]
:OUTPUT ACCEPT [18:1242]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
COMMIT
 
# usage: iptables-restore < firewall.rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [606:306949]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
 
 
 
# Reject packets from RFC1918 class networks (i.e., spoofed)
-A INPUT -s 10.0.0.0/8     -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12  -j DROP
-A INPUT -s 127.0.0.0/8    -j DROP
 
-A INPUT -s 224.0.0.0/4      -j DROP
-A INPUT -d 224.0.0.0/4      -j DROP
-A INPUT -s 240.0.0.0/5      -j DROP
-A INPUT -d 240.0.0.0/5      -j DROP
-A INPUT -s 0.0.0.0/8        -j DROP
-A INPUT -d 0.0.0.0/8        -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255  -j DROP
 
 
 
 
# Allow most ICMP packets to be received (so people can check our
# presence), but restrict the flow to avoid ping flood attacks
-A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
-A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
-A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
 
 
 
 
# Drop invalid packets immediately
-A INPUT   -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A OUTPUT  -m state --state INVALID -j DROP
 
 
 
 
 
# Drop bogus TCP packets
-A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
 
 
 
 
# Drop excessive RST packets to avoid SMURF attacks, by given the
# next real data packet in the sequence a better chance to arrive first.
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
 
 
 
 
# Protect against SYN floods by rate limiting the number of new
# connections from any host to 60 per second.  This does *not* do rate
# limiting overall, because then someone could easily shut us down by
# saturating the limit.
#-A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --set
#-A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --update --seconds 1 --hitcount 60 -j DROP
# The above doesn't seem to work?
 
 
 
# Anyone who tried to portscan us is locked out for an entire day.
-A INPUT   -m recent --name portscan --rcheck --seconds 86400 -j DROP
-A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
 
# Once the day has passed, remove them from the portscan list
-A INPUT   -m recent --name portscan --remove
-A FORWARD -m recent --name portscan --remove
 
# These rules add scanners to the portscan list, and log the attempt.
-A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
-A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
 
-A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
 
 
 
 
# Allow SSH
# -A INPUT -p tcp -m state --state NEW --source 8.8.8.8/32 --dport 22 -j ACCEPT
 
 
 
 
# Allow web traffic
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8005 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
 
 
 
 
# Drop everything else
-A INPUT -j DROP
 
 
 
 
COMMIT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment