Security

Securing Splunkweb (Free version)

evosplunk
Path Finder

Hi.

It sounds completely inane to me to not have any authentication on the free splunkweb interface.

I use splunk professionally, so naturally i run splunk free on my personal servers, but they are just not secure!

How would one go about securing their splunkweb in the free version?

Tags (4)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

You could reverse proxy the interface of the free version behind some other system. e.g., you could deny all but local access and require use of SSH tunnels, you could run an authenticated Apache reverse proxy in front of it, or use any other solution of your own devising. This will limit access, though you will still not be able to define roles or have different application users.

View solution in original post

xorred
Engager

not providing a secure login is extortion, not a policy. As a decision maker, I would not recommend this product to anyone (and will do the opposite) just because of that.

kristian_kolb
Ultra Champion

@bigwheels16
I totally understand your point, and I can agree that there is a good argument for having some basic authentication even in the free version. However, I would not go so far as to call the lack of such authentication "Extortion".

To me it looks more like @xorred may have misunderstood how the Trial license reverts to Splunk Free after some time, and that he maybe put some sensitive data in his Splunk, which suddenly became generally available. I can understand that one may feel a bit cheated upon in such a scenario, if that was indeed the case.

0 Karma

bigwheels16
Engager

@kristian.kolb @Damien Dallimore
most of us who use splunk free are devs who use it at work. none of us are going to fork out 5 grand to monitor our own little side projects. for many of us, we make recommendations on what software to use, and for some of us, we are the final decision makers. the more familiar we become with the software, and the better able we are to leverage it, the less likely we will ever want to change. but without basic auth, splunk free is unusable. given all that, giving us a reason to look at other solutions is, frankly, stupid.

kristian_kolb
Ultra Champion

Eeh, no. It is not Extorsion - it's called Marketing.

Extorsion would be to remove the authentication feature from existing enterprise licensed installations, and only turn it back on if the customer pays (again).

You may see this function as a good thing - i.e. try-before-you-buy, OR you see this as a dealer handing out heroin to schoolchildren; "The first fix is free!".

You don't have to use Splunk.
Your choice.

0 Karma

Damien_Dallimor
Ultra Champion

You have comprehensive authorization and fine grained accessed controls available if you acquire an Enterprise License.

0 Karma

evosplunk
Path Finder

http://slashdir.com/securing-splunk-free/

I did it like this in apache

<virtualhost *:80>
    ServerAdmin evotech@slashdir.com
    ServerAlias splunk.slashdir.com
    ProxyPass / http://127.0.0.1:8008/
    ProxyPassReverse / http://127.0.0.1:8008/
</virtualhost>

<proxy http://127.0.0.1:8008/*>;
    Order deny,allow
    Deny from all
    Allow from all
    AuthName "splunk"
    AuthType Basic
    AuthUserFile /home/evotech/public_www/.htpasswd
    Require valid-user
</proxy>

This, combined with a firewall rule that blocks http for everyone but loopback on your splunk port (port 8008 for me) makes sure that i can have a login for splunk free.

sudo iptables -A INPUT -s 127.0.0.1 -p tcp --dport 8008 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8008 -j DROP

Although, i still think its insanely stupid to have to do it this way, it works.

Please include a admin user and password at the very least so people can block their free versions from a potential attacker. Even if it is just my personal server that i use for various owned domains and services i don't want everyone to see all my logs, huge security issue.

vince2010091
Path Finder
0 Karma

aNamee
Explorer

Hi,

I am trying to implement your solution on a https version of splunk and an Apache 2.4.
For now I have replaced http instances by https in your code, but the browser page goes timeout.

any ideas about how to achieve this?
The thing is I am concerned about my password being sent unencrypted over the network.

Thanks! 🙂

0 Karma

Drainy
Champion

Just to add another dimension to this, @gkanapathy probably has the best answer with regards how to secure it;

It is also worth considering that since it is free and you cannot secure it in the normal Splunk manner that you perhaps shouldn't Splunk anything sensitive or anything you wouldn't want others to see. It is a free version and as you acknowledge in Damiens answer, there is the paid Enterprise version available (in 500mb/day too) which is what should be deployed in an enterprise or professional setup.

The free version is just great for small home setups where you might want to log small amounts of data for your own quick reference, or perhaps as some have done, just to log your greenhouse temperatures!

Drainy
Champion

Well, its a policy but not necessarily a bad one. Its still up to the user what they choose to store within it. Sadly at the end of the day its just a fact that Splunk is a business and the more functionality a free version has, the less inclined people would be to purchase an enterprise license.

evosplunk
Path Finder

It should still come with a single user sign on to just not leave it open. That is just a bad policy.

gkanapathy
Splunk Employee
Splunk Employee

You could reverse proxy the interface of the free version behind some other system. e.g., you could deny all but local access and require use of SSH tunnels, you could run an authenticated Apache reverse proxy in front of it, or use any other solution of your own devising. This will limit access, though you will still not be able to define roles or have different application users.

Damien_Dallimor
Ultra Champion

There is no authentication on the Free License.You would need to purchase an Enterprise License to enable authentication.

evosplunk
Path Finder

Im not asking for the full product, just a single login suer, like "admin". It's a pretty basic security issue. Not asking for multi-user auth

kristian_kolb
Ultra Champion

Most likely, no. If there is a business case for implementing Splunk, you should go with an enterprise license.

If there isn't, a/o you just want to play around with it for fun/learning/personal use - then Splunk Free is there for you.

As for the amount of features available Splunk Free, I'd say it's not relly crippled in a bad way. Yes, you lose multi-user authentication and distributed searching. But as Drainy says, why should Splunk Inc provide you the full product for free?

/Kristian

evosplunk
Path Finder

I know that, not the question though.

Do people just leave their logs for all to see?

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...