topic Re: Splunkweb is accessed remotely with Free License configured... Bug? in Security

Splunkweb is accessed remotely with Free License configured... Bug?

ageld — Fri, 11 Mar 2011 21:22:57 GMT

I am running Splunk 4.1.7 as forwarder (not as LightForwarder) on Windows 7 laptop. It sends data to our Splunk indexer and is configured with Free license. SplunkWeb interface is still accessed remotely despite the statements in server.conf.

# The following 'allowRemoteLogin' setting controls remote management of your splunk instance.
#  - If set to 'always', all remote logins are allowed.
#  - If set to 'never', only local logins to splunkd will be allowed. Note that this will still allow
#    remote management through splunkweb if splunkweb is on the same server.
#  - If set to 'requireSetPassword' (default behavior):
#     1. In the free license, remote login is disabled.
#     2. In the pro license, remote login is only disabled for the admin user that has not changed their default password
allowRemoteLogin=requireSetPassword

As you can see the config file states that in default configuration allowRemoteLogin=requireSetPassword "In the free licese, remote login is disabled".

Setting "allowRemoteLogin=never in server.conf under "local" directory did not fix the issue.

I also tried to set

server.socket_host = 127.0.0.1

in web.conf file (local directory) to force Web interface to only listen on localhost (loopback interface). It did not help also.

I need to do something to protect Web UI. I do not want it off completely, since it is convenient to configure Data Input with. Running local firewall is not an option in my case.

I wish Splunk developers developed source IP address restrictions when it comes to Web UI. I am surprised it is not built into the product. It is very easy to implement. Disabling logons under Free license and not restricting access to Admin UI makes the whole system vulnerable. I do not foresee anybody to license each and every forwarder in their environment -- it's just way too expensive.

If someone figured out how to:

restrict remote access to Web UI by source IP address without running OS firewall
force SplunkWeb process to only bind to loopback interface

please, let me know.

Re: Splunkweb is accessed remotely with Free License configured... Bug?

David — Sat, 12 Mar 2011 00:10:12 GMT

I'm not sure it's possible to restrict the source IP address, but you can bind to the loopback article by following the following instructions:

http://answers.splunk.com/questions/134/how-do-i-bind-splunk-to-a-specific-interface

I've done this on my server and verified that it works.

I believe the reason why allowRemoteLogin isn't acting how you would like it to is that it is controlling access to the splunkd process. Setting that to never will prevent a splunk instance on another box from logging in. Since it only controls access to splunkd, though, if a local splunkweb instance is running, any logins through that service are considered "local."

I can't necessarily tell you why server.socket_host doesn't work (as that would logically follow) except to say that I tried a few different methods when I configured it on my box, and this was the first one to work for me.

Let me know if that doesn't sort everything out for you.

Re: Splunkweb is accessed remotely with Free License configured... Bug?

proctorgeorge — Sat, 12 Mar 2011 00:21:48 GMT

I am just wondering if you are using the Free License on the indexer or the forwarders? If you were talking about the forwarders, then do you mean the Free License or the Forwarder License. I am wondering if this might change how configurations are handled.

Re: Splunkweb is accessed remotely with Free License configured... Bug?

ageld — Sat, 12 Mar 2011 02:23:31 GMT

Free license is installed only on a forwarder. Indexer is fully licensed

Re: Splunkweb is accessed remotely with Free License configured... Bug?

ageld — Sat, 12 Mar 2011 02:26:24 GMT

I read the article you suggested... Somewhere I saw that setting SPLUNK_BINDIP=127.0.0.1

will bind Splunk process to the loopback address not SplunkWeb. This might lead to break in communication between the forwarder and the indexer.

I wish Splunk developers would just develop an access list, restricting/permitting certain IPs to connect to SplunkWeb interface... 😞 😞 😞

Re: Splunkweb is accessed remotely with Free License configured... Bug?

David — Sat, 12 Mar 2011 03:28:12 GMT

I just tested it with my LWF. I specified the bindip, verified that it was listening on the internal only interface, and then verified that it was still forwarding logs. I believe the listen IP is a totally different function from the ability to send data out. (This was tested on Windows, though I would expect it to function the same on Linux)

Re: Splunkweb is accessed remotely with Free License configured... Bug?

ageld — Tue, 15 Mar 2011 19:03:29 GMT

David, Thanks a lot! It worked like a charm!

Re: Splunkweb is accessed remotely with Free License configured... Bug?

RobertFidler — Tue, 01 Nov 2011 14:18:31 GMT

But if you bind to a 127/8 address, how can you populate your splunk with logs from a universal forwarder on another system?

Re: Splunkweb is accessed remotely with Free License configured... Bug?

sideview — Wed, 02 Nov 2011 01:12:53 GMT

The free license simply has no authentication at all. I suspect that those comments in server.conf are wrong, or things got confused at some point. At any rate on the free license there is no "login" to allow or disallow.

That said, I don't see why you would want to use the free license on a forwarder. Use the forwarder license and make sure that your forwarder isn't indexing any significant data. Is there a downside?