topic Disable the UF web service in Security

Disable the UF web service

smithjnick — Mon, 06 Jan 2014 15:45:42 GMT

I am having no success in disabling the web service on my universal forwarders?

Issue: Security team were able to browse to my universal forwarders using https://[universalforwarder]:8089. I have been instructed to kill the web service on the UFs.

Have tried: creating a new web.conf placed in etc/system/local with the following settings applied

startwebserver = 0
httpport = 0

With these settings in place and removal of the old web.conf file sitting in etc/default i am still able to web onto my UF's from a remote machine?

Am i missing a setting somewhere?

thanks

Re: Disable the UF web service

linu1988 — Mon, 06 Jan 2014 16:24:22 GMT

I don't know what to check but , i think if we remove the admin users capabilities we will be safe. Let's wait for the clarification

Re: Disable the UF web service

smithjnick — Mon, 06 Jan 2014 16:32:14 GMT

Yes, i dont want to kill the management port completely, just the ability to browse to a universal forwarder over this port. I did use the httpdisable stanza in server.conf but then i lost functionality in cli mode i.e. i was not able to list forward-servers etc... for my troubleshooting scenarios.

Re: Disable the UF web service

dwaddle — Mon, 06 Jan 2014 16:41:03 GMT

Port 8089 is NOT splunkweb, it is Splunk's management port. It does, however, speak HTTP so it can appear to be an HTTP Server.

I don't think you can (safely) disable it entirely. You might use SPLUNK_BINDIP to restrict this port to only listening on 127.0.0.1.

http://answers.splunk.com/answers/134/how-do-i-bind-splunk-to-a-specific-interface

To elaborate, let's go through Splunk's architecture. There are two daemons - services if you will - splunkd and splunkweb. Each of these has a distinct purpose.

The splunkweb service provides the user interface components, which (by default) run HTTP on port 8000. This is where the search interface lives, and is how most users interact with Splunk.

The splunkd service is the indexing / forwarding / searching component. It has no real UI, and is interacted with by using an HTTPS port on (usually) port 8089 where REST APIs are called. Using Splunkd alone, you can't view a dashboard or create a chart. If you know the REST API - or are using an SDK - you can use the REST API (or SDK) to programmatically run searches and so forth - but the UI is up to you at that point.

Out of the box, UFs have the splunkweb web service disabled entirely. In fact, it is impossible to run splunkweb on a UF because UFs do not include the Splunk python runtime. UFs cannot run splunkweb.

UFs do, however, run Splunkd - they need to run Splunkd to do things like tail log files and forward this data to Splunk indexers.

As far as web.conf goes, if we look closely at the startwebserver option in the docs, it is specifically whether or not to start Splunkweb.

startwebserver = [0 | 1]
    * Set whether or not to start SplunkWeb.
    * 0 disables SplunkWeb, 1 enables it.
    * Defaults to 1.

So control of Splunkd's REST port at 8089 is not governed by startwebserver. There is however the disableDefaultPort option in server.conf. This should work, however there have been issues documented with it in the past.

Disabling the REST port entirely could cause some breakage, because there are CLI commands that use the REST port to talk to Splunkd. You would not be able to, for example, do a splunk list monitor or splunk add monitor because these commands are implemented using the REST port. This is why I suggested using SPLUNK_BINDIP to limit access to the REST port to the local host.

Re: Disable the UF web service

smithjnick — Mon, 06 Jan 2014 17:22:39 GMT

Yes, your comment "It does, however, speak HTTP so it can appear to be an HTTP Server" is the issue here.

Seems a bit naughty that does if its not a bug.

Re: Disable the UF web service

dwaddle — Mon, 06 Jan 2014 17:32:24 GMT

No, it's not a bug. It is, perhaps, a case of the options in web.conf not being clear as to what they do or do not do. I will update my post to clarify further.

Re: Disable the UF web service

Drainy — Mon, 06 Jan 2014 19:01:27 GMT

Also, it might be worth being sure to change the default password and use IPTABLES to prevent access to it (if you're running on a brand of *nix). I had similar concerns a while back

Re: Disable the UF web service

locose — Fri, 24 Mar 2017 18:13:28 GMT

So per https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/BindSplunktoanIP

$SPLUNK_HOME/etc/splunk-launch.conf

SPLUNK_BINDIP=127.0.0.1

Do you know if this can be set running the cli ?