I am running across a number vulnerability assessment findings regarding sslv2 being accepted on my SPLUNK Universal forwarder clients. I am using the Universal Forwarder to send data from my windows and linux machines to my indexer. I don't need it to listen on any port, that I know of.
Is it necessary for a universal forwarder to listen on any ports if it is only in use as a client to gather data and forward it to the indexer? If not, can this be disabled with a deployment app. Or at least have sslv2 disabled with an app sent to all the clients (I made the server.conf change on the deployment server). Thanks, as always.
server.conf
disableDefaultPort = [true|false]
* If true, turns off listening on the splunkd management port (8089 by default)
* Default value is 'false'.
Add the following to your etc/system/local/server.conf
[httpServer]
disableDefaultPort = true
,Add the following to your etc/system/local/server.conf
[httpServer]
disableDefaultPort = true
How do you manage the apps if you disable the deployment server port? 8089 with a properly created and issued certificate should void any vulnerabilities you have...
The port 8089 is listening on the UF and is used only for REST/CLI communication handling INBOUND requests to the UF instance.
Apps that get deployed to a UF (or actually all splunk instances) are done via a PULL method ie: splunk is configured to reach out to the DS and pull down apps that it's assigned, the DS does not PUSH to the instance.
So an opened port is not needed for app deployment as long as the UF can reach the DS:8089 it'll get the apps.
PS: if you disable port 8089 on the DS itself yes, you kill app deployment.
Very Succinct, Thanks.
In addition to disabling SSLv2, server.conf allows you to specify valid cipherSuite.
Thank you. If anyone follows up on this thread. The disableDefaultPort = [true|false] setting is documented here: http://www.splunk.com/base/Documentation/latest/admin/Serverconf
server.conf
disableDefaultPort = [true|false]
* If true, turns off listening on the splunkd management port (8089 by default)
* Default value is 'false'.
Thanks. I appreciate it.
Yes, a server.conf configuration can be pushed with deployment server.
Can a server.conf configuration be pushed out with the splunk deployment server?