Security

Server.conf allowRemoteLogin set to never, but splunk server still allows remote login?

dtrelford
Path Finder

I want to stop all remote logins to a Splunk server. To do this, I added the following to /etc/system/local/server.conf (as documented in https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Serverconf😞

allowRemoteLogin = never

After restarting Splunk, web console is still accessible remotely. I also commented out the following in /etc/system/default/server.conf, to rule out a conflict, but issue persists:

# allowRemoteLogin=requireSetPassword

What am I missing?

Labels (3)
Tags (1)
0 Karma
1 Solution

soutamo
SplunkTrust
SplunkTrust

Hi

I just look web.conf specs and found this:

server.socket_host = <ip_address>
* Host values may be any IPv4 or IPv6 address, or any valid hostname.
* The string 'localhost' is a synonym for '127.0.0.1' (or '::1', if your
  hosts file prefers IPv6).
* The string '0.0.0.0' is a special IPv4 entry meaning "any active interface"
  (INADDR_ANY), and "::" is the similar IN6ADDR_ANY for IPv6.
* Default (if 'listenOnIPV6' is set to "no": 0.0.0.0
* Default (otherwise): "::"

Maybe this helps you by setting it to 127.0.0.1

Another way could be a request client cert which has generated by "secret" CA?

r. Ismo 

View solution in original post

shivanshu1593
Contributor

You're merging two different aspects into one here.  The setting ```allowRemoteLogin```, is only applicable for Splunkd service, not the web UI. The document says the very same.

When set to "never", only local logins to splunkd are allowed. Note that this
  still allows remote management through Splunk Web if Splunk Web is on
  the same server.

I believe you're trying to restrict web UI access towards your Splunk server. For that, in the firewall of your server, add the rule, which will allow only localhost to access the Splunk web port. This will do the trick, as this requirement falls more towards server administration, rather than Splunk.

Also, please don't hash anything out or make any sort of changes in default Splunk configuration files, else you're going to find a lot of error messages in Splunk, complaining about Files integrity monitoring. Splunk highly recommends against modifying the default files and configurations in the local folder are always preferred over default anyways.

Hope that helps,

S

If it helps, please accept it as an answer.

 

0 Karma

dtrelford
Path Finder

I need 443 to be open for a webhook required for functionality of Microsoft Teams Addon for Splunk - (https://splunkbase.splunk.com/app/4994/#/overview), so because of this I can't limit all 443 connections to local only. 

I checked web.conf configuration options (https://docs.splunk.com/Documentation/ITSI/4.5.0/Configure/web.conf) and I don't see an option to limit the splunk web connections to local only. Is this possible?

0 Karma

soutamo
SplunkTrust
SplunkTrust

Hi

I just look web.conf specs and found this:

server.socket_host = <ip_address>
* Host values may be any IPv4 or IPv6 address, or any valid hostname.
* The string 'localhost' is a synonym for '127.0.0.1' (or '::1', if your
  hosts file prefers IPv6).
* The string '0.0.0.0' is a special IPv4 entry meaning "any active interface"
  (INADDR_ANY), and "::" is the similar IN6ADDR_ANY for IPv6.
* Default (if 'listenOnIPV6' is set to "no": 0.0.0.0
* Default (otherwise): "::"

Maybe this helps you by setting it to 127.0.0.1

Another way could be a request client cert which has generated by "secret" CA?

r. Ismo 

View solution in original post

dtrelford
Path Finder

This worked. Setting localhost in web.conf and restarting splunkd service stopped web console from being accessible remotely, but is still accessible locally.

server.socket_host = localhost

 

0 Karma

shivanshu1593
Contributor

Unfortunately you cannot limit the usage of Splunk web like this.

However, in a firewall, you can have multiple rules for the same port. For your requirement, I'd suggest to keep the incoming connection limited only for Microsoft team's server IP (as it'll send call record data on it. Just create an inbound rule for it. If you want Splunk to connect to it as well, create an outbound rule and it'll do the trick) and your localhost. This will fulfill your requirement of no one being able to access your Splunk web portal apart from being accessed locally, and your webhook will still be working. In the future, if you want someone else to access the port on your Splunk server, you just have to create a firewall rule accordingly. This is usually how servers in a DMZ are set up as well.

Hope this helps,

S

0 Karma

dtrelford
Path Finder

Unfortunately Microsoft does not provide an IP range to whitelist for the Teams app.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!