Preventing security attacks
This page provides guidelines which, to the best of our knowledge, will help prevent security attacks on your JIRA installation.
Use strong passwords
Administrators should use strong passwords
All your JIRA administrators, JIRA system administrators and administrators of all Atlassian applications should have strong passwords. Ask your administrators to update their passwords to strong passwords.
Do not use passwords that are dictionary words. Use mixed-case letters, numbers and symbols for your administrator passwords and make sure they are sufficiently long (e.g. 14 characters). We encourage you to refer to the Strong Password Generator for guidelines on selecting passwords.
Using strong passwords greatly increases the time required by an attacker to retrieve your passwords by brute force, making such an attack impractical.
On this page:
Administrators should have different passwords for different systems
As well as choosing a strong password, administrators should have different strong passwords for different systems. This will reduce the impact the attacker can have if they do manage to obtain administrator credentials on one of your systems.
Apply JIRA security patches
Apply the patches found in any security advisories that we release for your version of JIRA. These patches protect JIRA from recently detected privilege escalation and XSS vulnerabilities.
Protect against brute force attack
You can also actively protect your systems against repeated unsuccessful login attempts, known as "brute force" login attacks.
Enable brute force login protection on your Web server
It is possible to also enable brute force login protection on your web server by detecting repeated authentication failures in application logs. Once repeated login failures have been detected, you can set up an automated system to ban access to your web server from that particular IP address.
For more information on how to configure an automated approach to this kind of login prevention, refer to Using Fail2Ban to limit login attempts.
Restrict network access to administrative sections of applications
An Atlassian application's administration interface is a critical part of the application; anyone with access to it can potentially compromise not only the application instance but the entire machine. As well as limiting access to only users who really need it, and using strong passwords, you should consider limiting access to it to certain machines on the network.
For more information on how to implement Apache blocking rules to restrict access to administrative or sensitive actions in:
- JIRA, refer to Using Apache to limit access to the JIRA administration interface
- Confluence, refer to Using Apache to limit access to the Confluence administration interface
You can use a similar approach to protecting all Atlassian applications.
Restrict file system access by the application server
The application server (e.g. Tomcat) runs as a process on the system. This process is run by a particular user and inherits the file system rights of that particular user. By restricting the directories that can be written to by the application server user, you can limit unnecessary exposure of your file system to the application.
For example, ensure that only the following directories can be written to by JIRA's application server:
Was this helpful?
Thanks for your feedback!