Security

How to limit which servers can connect to Splunk forwarders?

Konstantinov
Engager

Hello,

Our splunkforwarder Windows service listens on port 8089 from all IP addresses by default. Can I use Splunk conf files to allow connections only from Splunk servers?

Thanks.

0 Karma
1 Solution

FritzWittwer_ol
Contributor

Well, if this are just forwardes sending data to an indexer, you can diable 8089 at all, otherwise there is an accept attribute. Both are in Server.conf:

see http://docs.splunk.com/Documentation/Splunk/6.2.5/admin/Serverconf

##########################################################################################
# Splunkd HTTP server configuration
##########################################################################################

[httpServer]
    * Set stand-alone HTTP settings for Splunk under this stanza name.
    * Follow this stanza name with any number of the following attribute/value pairs.  
    * If you do not specify an entry for each attribute, Splunk uses the default value.

...
disableDefaultPort = true|false
        * If true, turns off listening on the splunkd management port (8089 by default)
        * This setting is not recommended:
          * This is the general communication path to splunkd.  If it is disabled, there is
            no way to communicate with a running splunk.
          * This means many command line splunk invocations cannot function,
            splunkweb cannot function, the REST interface cannot function, etc.
          * If you choose to disable the port anyway, understand that you are selecting
            reduced Splunk functionality.
        * Default value is 'false'.

    acceptFrom = <network_acl> ...
        * Lists a set of networks or addresses to accept data from.  These rules are separated by commas or spaces
        * Each rule can be in the following forms:
        *   1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
        *   2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
        *   3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")
        *   4. A single '*' which matches anything
        * Entries can also be prefixed with '!' to cause the rule to reject the
          connection.  Rules are applied in order, and the first one to match is
          used.  For example, "!10.1/16, *" will allow connections from everywhere
          except the 10.1.*.* network.
        * Defaults to "*" (accept from anywhere)

View solution in original post

FritzWittwer_ol
Contributor

Well, if this are just forwardes sending data to an indexer, you can diable 8089 at all, otherwise there is an accept attribute. Both are in Server.conf:

see http://docs.splunk.com/Documentation/Splunk/6.2.5/admin/Serverconf

##########################################################################################
# Splunkd HTTP server configuration
##########################################################################################

[httpServer]
    * Set stand-alone HTTP settings for Splunk under this stanza name.
    * Follow this stanza name with any number of the following attribute/value pairs.  
    * If you do not specify an entry for each attribute, Splunk uses the default value.

...
disableDefaultPort = true|false
        * If true, turns off listening on the splunkd management port (8089 by default)
        * This setting is not recommended:
          * This is the general communication path to splunkd.  If it is disabled, there is
            no way to communicate with a running splunk.
          * This means many command line splunk invocations cannot function,
            splunkweb cannot function, the REST interface cannot function, etc.
          * If you choose to disable the port anyway, understand that you are selecting
            reduced Splunk functionality.
        * Default value is 'false'.

    acceptFrom = <network_acl> ...
        * Lists a set of networks or addresses to accept data from.  These rules are separated by commas or spaces
        * Each rule can be in the following forms:
        *   1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
        *   2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
        *   3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")
        *   4. A single '*' which matches anything
        * Entries can also be prefixed with '!' to cause the rule to reject the
          connection.  Rules are applied in order, and the first one to match is
          used.  For example, "!10.1/16, *" will allow connections from everywhere
          except the 10.1.*.* network.
        * Defaults to "*" (accept from anywhere)

Konstantinov
Engager

Thanks! Is there any automated way to change server.conf file on all forwarders?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...