I'm trying to automate the unattended setup of a Splunk server (will live in a temporary VM) so that the only accessible external services will be port 22 for SSH access and would like to check my thought process please 🙂
I'm planning on doing this by binding all of the various Splunk components to 127/localhost and then backing this up with UFW. To access the Splunk WebUI through an SSH portforward from my local machine. I only need to
monitor files / data on the local machine.
My current plan is to
Echo some credentials into user-seed.conf in /etc/system/local/user-seed.conf
Add a web.conf in /etc/system/local/web.conf containing [settings] and httpport = 1234
Edit the above web.conf with mgmtHostPort = 127.0.0.1:8089
Amend the splunk-launch.conf in /opt/splunk/etc with SPLUNK_BINDIP=127.0.0.1
Create ufw rules that:
ufw allow 127.0.0.1 to any port 9997 ufw allow 127.0.0.1 to any port 8089 ufw allow 127.0.0.1 to any port 1234
This should put all Splunk components binding to 127 rather than the IP of eth0, whilst still allowing the various components like CLI and WebUI to communicate with Splunkd? Is there a better way in terms of Splunk best practice / security of achieving this?