Disable Management port on Universal Forwarder


I've seen a few older posts on this, so I thought I might try and get a more recent answer. 

There are situations in which you might want to run the Universal forwarder as root.  Sensibly new versions of the uf remove the default password issue, but the existence of the Splunk management port running as root exposes the UF to the possibility of a remote and local  privilege escalation, whether through poor password management by an admin or some undiscovered authentication flaw in the UF itself. 

Disabling the management port altogether should remove that vector entirely.

There is a documented method in server.conf To save you looking it up here are the docs from 8.1.3

disableDefaultPort = <boolean>
* If set to "true", turns off listening on the splunkd management port,
  which is 8089 by default.
* NOTE: Changing this setting is not recommended.
  * This is the general communication path to splunkd.  If it is disabled,
    there is no way to communicate with a running splunk instance.
  * This means many command line splunk invocations cannot function,
    Splunk Web cannot function, the REST interface cannot function, etc.
  * If you choose to disable the port anyway, understand that you are
    selecting reduced Splunk functionality.
* Default: false

In my testing enabling it on an UF seems OK. Some CLI commands fail, notably anything that needs to authenticate.

My question is that other than most cli commands, will anything important to the UF break?

Labels (1)
0 Karma


The older posts on this topic are still valid.

If this reply helps you, an upvote would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...