- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Re: Disable the UF web service
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Disable the UF web service
I am having no success in disabling the web service on my universal forwarders?
Issue: Security team were able to browse to my universal forwarders using https://[universalforwarder]:8089. I have been instructed to kill the web service on the UFs.
Have tried: creating a new web.conf placed in etc/system/local with the following settings applied
startwebserver = 0
httpport = 0
With these settings in place and removal of the old web.conf file sitting in etc/default i am still able to web onto my UF's from a remote machine?
Am i missing a setting somewhere?
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So per https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/BindSplunktoanIP
$SPLUNK_HOME/etc/splunk-launch.conf
SPLUNK_BINDIP=127.0.0.1
Do you know if this can be set running the cli ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Port 8089 is NOT splunkweb, it is Splunk's management port. It does, however, speak HTTP so it can appear to be an HTTP Server.
I don't think you can (safely) disable it entirely. You might use SPLUNK_BINDIP to restrict this port to only listening on 127.0.0.1.
http://answers.splunk.com/answers/134/how-do-i-bind-splunk-to-a-specific-interface
To elaborate, let's go through Splunk's architecture. There are two daemons - services if you will - splunkd and splunkweb. Each of these has a distinct purpose.
The splunkweb service provides the user interface components, which (by default) run HTTP on port 8000. This is where the search interface lives, and is how most users interact with Splunk.
The splunkd service is the indexing / forwarding / searching component. It has no real UI, and is interacted with by using an HTTPS port on (usually) port 8089 where REST APIs are called. Using Splunkd alone, you can't view a dashboard or create a chart. If you know the REST API - or are using an SDK - you can use the REST API (or SDK) to programmatically run searches and so forth - but the UI is up to you at that point.
Out of the box, UFs have the splunkweb web service disabled entirely. In fact, it is impossible to run splunkweb on a UF because UFs do not include the Splunk python runtime. UFs cannot run splunkweb.
UFs do, however, run Splunkd - they need to run Splunkd to do things like tail log files and forward this data to Splunk indexers.
As far as web.conf goes, if we look closely at the startwebserver option in the docs, it is specifically whether or not to start Splunkweb.
startwebserver = [0 | 1]
* Set whether or not to start SplunkWeb.
* 0 disables SplunkWeb, 1 enables it.
* Defaults to 1.
So control of Splunkd's REST port at 8089 is not governed by startwebserver. There is however the disableDefaultPort option in server.conf. This should work, however there have been issues documented with it in the past.
Disabling the REST port entirely could cause some breakage, because there are CLI commands that use the REST port to talk to Splunkd. You would not be able to, for example, do a splunk list monitor or splunk add monitor because these commands are implemented using the REST port. This is why I suggested using SPLUNK_BINDIP to limit access to the REST port to the local host.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, it might be worth being sure to change the default password and use IPTABLES to prevent access to it (if you're running on a brand of *nix). I had similar concerns a while back
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, it's not a bug. It is, perhaps, a case of the options in web.conf not being clear as to what they do or do not do. I will update my post to clarify further.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, your comment "It does, however, speak HTTP so it can appear to be an HTTP Server" is the issue here.
Seems a bit naughty that does if its not a bug.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, i dont want to kill the management port completely, just the ability to browse to a universal forwarder over this port. I did use the httpdisable stanza in server.conf but then i lost functionality in cli mode i.e. i was not able to list forward-servers etc... for my troubleshooting scenarios.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know what to check but , i think if we remove the admin users capabilities we will be safe. Let's wait for the clarification
Explore the Latest Educational Offerings from Splunk (November Releases)
New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...
Alerting Best Practices: How to Create Good Detectors
