Security

Disable the UF web service

smithjnick
Path Finder

I am having no success in disabling the web service on my universal forwarders?

Issue: Security team were able to browse to my universal forwarders using https://[universalforwarder]:8089. I have been instructed to kill the web service on the UFs.

Have tried: creating a new web.conf placed in etc/system/local with the following settings applied

startwebserver = 0
httpport = 0

With these settings in place and removal of the old web.conf file sitting in etc/default i am still able to web onto my UF's from a remote machine?

Am i missing a setting somewhere?

thanks

Tags (2)

locose
Path Finder

So per https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/BindSplunktoanIP

$SPLUNK_HOME/etc/splunk-launch.conf

SPLUNK_BINDIP=127.0.0.1

Do you know if this can be set running the cli ?

0 Karma

dwaddle
SplunkTrust
SplunkTrust

Port 8089 is NOT splunkweb, it is Splunk's management port. It does, however, speak HTTP so it can appear to be an HTTP Server.

I don't think you can (safely) disable it entirely. You might use SPLUNK_BINDIP to restrict this port to only listening on 127.0.0.1.

http://answers.splunk.com/answers/134/how-do-i-bind-splunk-to-a-specific-interface


To elaborate, let's go through Splunk's architecture. There are two daemons - services if you will - splunkd and splunkweb. Each of these has a distinct purpose.

The splunkweb service provides the user interface components, which (by default) run HTTP on port 8000. This is where the search interface lives, and is how most users interact with Splunk.

The splunkd service is the indexing / forwarding / searching component. It has no real UI, and is interacted with by using an HTTPS port on (usually) port 8089 where REST APIs are called. Using Splunkd alone, you can't view a dashboard or create a chart. If you know the REST API - or are using an SDK - you can use the REST API (or SDK) to programmatically run searches and so forth - but the UI is up to you at that point.

Out of the box, UFs have the splunkweb web service disabled entirely. In fact, it is impossible to run splunkweb on a UF because UFs do not include the Splunk python runtime. UFs cannot run splunkweb.

UFs do, however, run Splunkd - they need to run Splunkd to do things like tail log files and forward this data to Splunk indexers.

As far as web.conf goes, if we look closely at the startwebserver option in the docs, it is specifically whether or not to start Splunkweb.

startwebserver = [0 | 1]
    * Set whether or not to start SplunkWeb.
    * 0 disables SplunkWeb, 1 enables it.
    * Defaults to 1.

So control of Splunkd's REST port at 8089 is not governed by startwebserver. There is however the disableDefaultPort option in server.conf. This should work, however there have been issues documented with it in the past.

Disabling the REST port entirely could cause some breakage, because there are CLI commands that use the REST port to talk to Splunkd. You would not be able to, for example, do a splunk list monitor or splunk add monitor because these commands are implemented using the REST port. This is why I suggested using SPLUNK_BINDIP to limit access to the REST port to the local host.

Drainy
Champion

Also, it might be worth being sure to change the default password and use IPTABLES to prevent access to it (if you're running on a brand of *nix). I had similar concerns a while back

dwaddle
SplunkTrust
SplunkTrust

No, it's not a bug. It is, perhaps, a case of the options in web.conf not being clear as to what they do or do not do. I will update my post to clarify further.

0 Karma

smithjnick
Path Finder

Yes, your comment "It does, however, speak HTTP so it can appear to be an HTTP Server" is the issue here.

Seems a bit naughty that does if its not a bug.

0 Karma

smithjnick
Path Finder

Yes, i dont want to kill the management port completely, just the ability to browse to a universal forwarder over this port. I did use the httpdisable stanza in server.conf but then i lost functionality in cli mode i.e. i was not able to list forward-servers etc... for my troubleshooting scenarios.

0 Karma

linu1988
Champion

I don't know what to check but , i think if we remove the admin users capabilities we will be safe. Let's wait for the clarification

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...