Deployment Architecture

Can you disable the management port (8089) on clients via the Deployment Server?

asofo
Path Finder

We're looking to disable the management port (8089) on current and future clients. Can this be done from a policy or setting on the Deployment server?

1 Solution

jtacy
Builder

Yes, you can deploy an app with a server.conf like this:

# Disable management port to prevent remote (or local) config.
[httpServer]
disableDefaultPort = true

We deploy our UFs with an app like this and the port is not even open on the client with it installed. It doesn't break the deployment client functionality either. Good luck!

View solution in original post

ephemeric
Contributor

I think the OP wants to secure the UFs.

By default the UF binds `*:8089` which is an audit finding in most envs.

To be sure, configure /opt/splunkforwarder/etc/splunk-launch.conf:

SPLUNK_BINDIP=127.0.0.1

 

0 Karma

jtacy
Builder

Yes, you can deploy an app with a server.conf like this:

# Disable management port to prevent remote (or local) config.
[httpServer]
disableDefaultPort = true

We deploy our UFs with an app like this and the port is not even open on the client with it installed. It doesn't break the deployment client functionality either. Good luck!

View solution in original post

woodcock
Esteemed Legend

How can it not "break" the DS functionality? If you change this to "false" on the DS, because the DC is not connecting (port is disabled), it will never get updated. You will have to login to the DC servers and manually change this (after changing it on the DS) in order for it to start working again.

0 Karma

dshpritz
SplunkTrust
SplunkTrust

keep in mind that the DS does not "push". Clients connect to it, and pull their configuration. The DS does not talk to the UF management port.

jtacy
Builder

Howdy, I'm reading the question as asking about disabling the mgmt port on deployment clients (most likely UFs). You're right that it's important to be aware that the DS itself must listen on the mgmt port or you're sure to break things.

0 Karma

woodcock
Esteemed Legend

Why are you doing this? I assume it is so that you can prevent some app (all apps?) from being updated by the Deployment Server. The best way to do this is to disable DS client updates for just the app you need to "freeze" on just this server (not server-wide, not app-wide, not globally); you can do this like this (and yes, this can be done from the DS, but if you do this, it will disable this app on all servers and it cannot be undone from the DS):

$SPLUNK_HOME/etc/apps/MyApp/default/app.conf:
[install]
allows_disable = false

The first thing the DS Client does whenever it finds that the app does not match the DS master copy is to disable the app so that nobody can use it while it is being updated. If DS cannot disable the app, then it also cannot update it, so DS will be deadlocked from changing the app. If you forget to undo your changes, then whatever portion you disabled will never update. It is better to have just 1 app DS-disconnected than to have your entire node completely DS-orphaned.

0 Karma

laserval
Communicator

I believe the question is referring to disabling the management port on e,g. forwarders. The deployment clients are the ones sending requests to the deployment server - they don't need to have any open management port unless you want to do stuff like remotely run oneshot inputs.

asofo
Path Finder

Correct. I should have clarified this is simply for the forwarders. We do not plan to remotely manage them through the management web interface (remote management disabled by default anyway) and want to close any unnecessary ports for security reasons.

0 Karma

woodcock
Esteemed Legend

Then the OP should have said "disable the remote management web interface", not "disable the port". There are 2 things that happen on that port: DS and Web UI. I gave one answer and jtacy gave the other. In any case, the "disableDefaultPort" approach WILL NOT prevent port 8089 from being used if you are using DS because your DC on the forwarder will still us it.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!