I am trying to lock down our server to listen on localhost only and can't seem to find any documentation on the most current version of Bitbucket. Below is a printout of my netstat:
# netstat -an |grep -iw listen
tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:7980 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8020 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:7990 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:7992 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:7993 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8095 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:7999 0.0.0.0:* LISTEN
As you can see all the Atlassian ports are listening on 127.0.0.1 except for 7990 and 7999 which are served by Bitbucket. I managed to change Crowd and Jira to localhost by modifying their respective server.xml settings and adding address=127.0.0.1 under the connector tag. However, it seems that Bitbucket is no longer using a server.xml for the listener settings and I am unable to find a thread that is more current.
Hi,
You just need to add the server.address property to itbucket.properties, like so:
server.address=127.0.0.1
Restart Bitbucket Server and it will be listening on that IP address only
Cheers,
Christian
Premier Support Engineer
Atlassian
Thank you for taking the time to answer my question, I realize how strange this must seem, but for security reasons this is a requirement of my organization. For reference I found bitbucket.properties in the following location:
/var/atlassian/application-data/bitbucket/shared/bitbucket.properties
I added your suggestion to the end of the file
#>*******************************************************
#> Migrated to database at jdbc:postgresql://localhost:5432/GIT?targetServerType=master
#> Updated on 2020-09-03T09:53:02.626-05:00
#>*******************************************************
jdbc.driver=org.postgresql.Driver
jdbc.url=jdbc:postgresql://localhost:5432/GIT?targetServerType=master
jdbc.user=git
jdbc.password=devel
server.address=127.0.0.1
restarted the service and now 7990 is listening only on localhost.
# netstat -an |grep -iw listen
tcp 0 0 0.0.0.0:5701 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9418 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:7980 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:9200 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:45297 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8020 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:7990 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:7992 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:7993 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8090 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:39453 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:7999 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:45055 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8095 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN
However, 5701 (hazelcast.network.multicast.port), and 7999 (plugin.ssh.port) are still listening on all addresses.
Per suggestion in another thread, I tried adding the following to my bitbucket.properties and has not changed the listening ports of the above.
hazelcast.network.multicast=false
hazelcast.network.multicast.address=127.0.0.1
As for 7999 or Bitbucket SSH access, below are the settings from my BB server settings screen.
We are only running a single instance of Bitbucket Server, Jira Server, Confluence Server, and Crowd Server with no plans of using the clustering features of the Data Center version for now.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
This was resolved with Bitbucket release 7.11 following implementation of suggestion BSERV-12764
Bryan Turner added a comment - 26/Feb/2021 1:19 AM
Bitbucket Server/Data Center 7.11.0 will add a new property, plugin.ssh.address, which can be set in bitbucket.properties to control what address (or addresses; a comma-separated list is supported) SSH should listen on. The default behavior of listening on all addresses remains unchanged. To bind only to localhost, add plugin.ssh.address=127.0.0.1 to bitbucket.properties.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.