It doesn't necessarily have to be the case.

I've contributed a few small patches to some well-known open-source projects. In the months after that I've received a few automated mails from some CI systems informing me about some (un)successful build. Probably because somewhere somebody integrated a new version of said open-source projects in their product and the system is configured to mail every committer the outcome of the CI pipeline, regardless of whether that committer is actually an employee... Still sloppy ops though.

How is that relevant to what I'm talking about?

I'm talking about non-firewalled open ports on a jenkins server connected to the public internet.

You're talking on about some auto-emails and a bug where too many committers were emailed.

How are those things even remotely related?

You wouldn't believe how many there are, open to the public. Even more so are the ones that allow shell access ️

Also, there's a Jenkins Mask Passwords plugin which we use in conjunction with not exposing our Jenkins server to the Internet. Plus its worthwhile wrapping Jenkins with TLS.

https://wiki.jenkins.io/display/JENKINS/Mask+Passwords+Plugi...

The article specifically mentions that the Jenkins in question had this plugin active, but it failed to catch all sensitive secrets.

+1. Jenkins even has an authenticated mode, but their code quality is so inconsistent that even that's not enough.

When we investigated in 2015, we found an average of 3 remote code execution / escalation of privilege CVEs per year in the previous 4 years. Looking at [1], I see the trend is still not great - 30 CVEs in 2018.

Fundamentally, it seems to me that Jenkins does not have the mindset to do security well. This isn't surprising given its plugin architecture permits random code to run. Isolate it behind a proxy server like https://github.com/pusher/oauth2_proxy and sleep better at night.

[1] https://www.cvedetails.com/vulnerability-list/vendor_id-1586...

Are there any good guides for setting up private networks? Google results are overwhelmed by setting up VPNs for private browsing.

Set up a network, don't make it public. Block everything incoming except your VPN tunnel should you need remote access. That's how a private network works.

> Block everything incoming except your VPN tunnel should you need remote access

With the slight caveat that you should have at least a second out-of-band access method for when you bork your VPN config :)

True, but you know you have done your private network correctly if borking your VPN config means no access.

The easy way is to set up some sort of router, most of them NAT and block port forwarding. That way you can only access your Jenkins from the local network.