The admin panel you left unlocked

Did your Grafana, Kibana, or Jenkins end up public?

Type grafana.yoursite.com into a browser from a network you've never touched your servers on. Does a dashboard load? If it does, so does it for everyone else.

You spun up Grafana to watch your servers. Kibana to read logs. Jenkins to ship code. Each one solved a real problem, and each one came with a port you opened during setup and probably never closed. Your dashboards know your infrastructure: the hostnames, the database names, the queue depths, the deploy pipeline, the error logs with real user data in them. Anyone who reaches those panels knows it too. And these three tools, more than most, default to letting strangers reach them.

The defaults that bite

These three got popular by being easy to stand up. That ease is the problem.

Older Grafana shipped with admin / admin as the login and a setting, allow_embedding and friends, that many people leave wide. Worse, Grafana has an anonymous access mode, auth.anonymous.enabled = true, that some Docker images and tutorials switch on so you can "just see the dashboards." If that's on, there's no login at all. A stranger sees everything you see. Kibana historically had no authentication in the open-source build unless you explicitly added it, so an exposed Elasticsearch and Kibana pair is a fully readable index of whatever you log. Jenkins is the sharpest of the three: a misconfigured instance allows anonymous read or even anonymous build, and the script console runs arbitrary Groovy as the Jenkins user, which is a straight path to code execution on your build server.

None of these are exotic bugs. They're the documented default behavior, hit by a deploy that prioritized "working" over "closed."

metrics.yoursite.com
Grafanav9.3.1
Email or username
Password
Grafana 9.3.1·anonymous viewer enabled
Dashboards load without logging in
When anonymous access is on, the login form is decoration. The panel renders for anyone.

What the dashboards hand over

A monitoring panel is reconnaissance gold because it's built to describe your system clearly. That clarity works for the attacker too.

An open Grafana shows your data source names and often their hostnames: prod-postgres-primary, redis-cache-eu, internal IPs, the shape of your whole backend laid out in panel titles. Query the data source directly through Grafana's proxy and you may pull raw metrics or even run queries against the database behind it. An open Kibana is worse, because logs are where secrets go to hide. People log full request bodies, auth headers, session tokens, and stack traces. A readable log index is a searchable archive of every secret that ever passed through a log line. And an open Jenkins with the script console exposed goes past information leak into remote shell territory. One paste of Groovy and they're running commands on the box that has your deploy keys.

  • Grafana: data source names, internal hostnames, infra topology, sometimes direct DB query access.
  • Kibana: searchable logs full of tokens, headers, PII, and error detail.
  • Jenkins: credentials store, build logs, and the Groovy script console as code execution.

This is the same class of exposure as a forgotten phpMyAdmin login on the open internet: a powerful internal tool that was only ever meant for you, answering to the whole world.

How they find yours

Subdomains are the giveaway. People name these panels exactly what they are. grafana.yoursite.com, kibana.yoursite.com, jenkins.yoursite.com, logs., metrics., ci.. Certificate transparency logs publish every TLS certificate you issue, so the moment you got a cert for grafana.yoursite.com, that subdomain became public record, searchable by anyone. Add Shodan indexing the default ports, 3000 for Grafana, 5601 for Kibana, 8080 for Jenkins, and finding yours takes one search query.

$ scan yoursite.com
probing yoursite.com from outside, no credentials...
grafana.yoursite.com:3000Grafana, anonymous viewer on
kibana.yoursite.com:5601Kibana, no auth, logs readable
ci.yoursite.com:8080Jenkins, script console reachable
3 exposures visible to anyone. None required a login.
Three subdomains, three default ports, found from outside without a single credential.

Closing them, and confirming they're closed

The principle is the same for all three: these are internal tools, so they belong on an internal network, not a public IP. Put them behind a VPN, a Tailscale or WireGuard network, or an authenticating reverse proxy with an IP allowlist. If a panel must stay reachable, turn anonymous access off explicitly, rotate the default admin credentials, and disable the Jenkins script console for non-admins. Then bind the service to localhost and reach it through a tunnel wherever you can.

# grafana.ini, the dangerous default
[server]
http_addr =            # binds 0.0.0.0, public
[auth.anonymous]
enabled = true         # no login required
Anonymous access off, bound to localhost, reached over a private network.

Whether a panel renders without a login is something you can check the same way an attacker does: from a browser, with no credentials. SurfaceCheckr walks the common panel subdomains and default ports and reports which ones answer and what they fingerprint as, so you get the same first look a stranger gets. It stops there on purpose. It won't log in, won't probe what sits behind the auth, and won't stand in for a pentest of your authenticated dashboards. But reachable at all is the finding that has to land first, because it's the one that turns your monitoring into someone else's map, and it's the one you can close today.

Find it before someone else does.

Paste your domain. The grade and issue count are free, and you'll see in a couple of minutes exactly what's reachable from outside.