Getting Data In

Universal Forwarder listening on port 8089

trross33
Path Finder

I am running across a number vulnerability assessment findings regarding sslv2 being accepted on my SPLUNK Universal forwarder clients. I am using the Universal Forwarder to send data from my windows and linux machines to my indexer. I don't need it to listen on any port, that I know of.

Is it necessary for a universal forwarder to listen on any ports if it is only in use as a client to gather data and forward it to the indexer? If not, can this be disabled with a deployment app. Or at least have sslv2 disabled with an app sent to all the clients (I made the server.conf change on the deployment server). Thanks, as always.

1 Solution

msettipane
Splunk Employee
Splunk Employee

http://www.splunk.com/base/Documentation/latest/admin/Secureaccesstoyoursplunkserverwithssl#Disable_....

server.conf

disableDefaultPort = [true|false]
* If true, turns off listening on the splunkd management port (8089 by default)
* Default value is 'false'.

View solution in original post

ericjaystevens
New Member

Add the following to your etc/system/local/server.conf

[httpServer]
disableDefaultPort = true

,Add the following to your etc/system/local/server.conf

[httpServer]
disableDefaultPort = true
0 Karma

kapanig
Explorer

How do you manage the apps if you disable the deployment server port? 8089 with a properly created and issued certificate should void any vulnerabilities you have...

0 Karma

mattlucas719
Explorer

The port 8089 is listening on the UF and is used only for REST/CLI communication handling INBOUND requests to the UF instance.
Apps that get deployed to a UF (or actually all splunk instances) are done via a PULL method ie: splunk is configured to reach out to the DS and pull down apps that it's assigned, the DS does not PUSH to the instance.
So an opened port is not needed for app deployment as long as the UF can reach the DS:8089 it'll get the apps.

PS: if you disable port 8089 on the DS itself yes, you kill app deployment.

teekayx
Path Finder

Very Succinct, Thanks.

0 Karma

araitz
Splunk Employee
Splunk Employee

In addition to disabling SSLv2, server.conf allows you to specify valid cipherSuite.

0 Karma

trross33
Path Finder

Thank you. If anyone follows up on this thread. The disableDefaultPort = [true|false] setting is documented here: http://www.splunk.com/base/Documentation/latest/admin/Serverconf

msettipane
Splunk Employee
Splunk Employee

http://www.splunk.com/base/Documentation/latest/admin/Secureaccesstoyoursplunkserverwithssl#Disable_....

server.conf

disableDefaultPort = [true|false]
* If true, turns off listening on the splunkd management port (8089 by default)
* Default value is 'false'.

trross33
Path Finder

Thanks. I appreciate it.

0 Karma

araitz
Splunk Employee
Splunk Employee

Yes, a server.conf configuration can be pushed with deployment server.

trross33
Path Finder

Can a server.conf configuration be pushed out with the splunk deployment server?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...