Security

Server.conf allowRemoteLogin set to never, but splunk server still allows remote login?

dtrelford
Path Finder

I want to stop all remote logins to a Splunk server. To do this, I added the following to /etc/system/local/server.conf (as documented in https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Serverconf😞

allowRemoteLogin = never

After restarting Splunk, web console is still accessible remotely. I also commented out the following in /etc/system/default/server.conf, to rule out a conflict, but issue persists:

# allowRemoteLogin=requireSetPassword

What am I missing?

Labels (3)
Tags (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

I just look web.conf specs and found this:

server.socket_host = <ip_address>
* Host values may be any IPv4 or IPv6 address, or any valid hostname.
* The string 'localhost' is a synonym for '127.0.0.1' (or '::1', if your
  hosts file prefers IPv6).
* The string '0.0.0.0' is a special IPv4 entry meaning "any active interface"
  (INADDR_ANY), and "::" is the similar IN6ADDR_ANY for IPv6.
* Default (if 'listenOnIPV6' is set to "no": 0.0.0.0
* Default (otherwise): "::"

Maybe this helps you by setting it to 127.0.0.1

Another way could be a request client cert which has generated by "secret" CA?

r. Ismo 

View solution in original post

shivanshu1593
Builder

You're merging two different aspects into one here.  The setting ```allowRemoteLogin```, is only applicable for Splunkd service, not the web UI. The document says the very same.

When set to "never", only local logins to splunkd are allowed. Note that this
  still allows remote management through Splunk Web if Splunk Web is on
  the same server.

I believe you're trying to restrict web UI access towards your Splunk server. For that, in the firewall of your server, add the rule, which will allow only localhost to access the Splunk web port. This will do the trick, as this requirement falls more towards server administration, rather than Splunk.

Also, please don't hash anything out or make any sort of changes in default Splunk configuration files, else you're going to find a lot of error messages in Splunk, complaining about Files integrity monitoring. Splunk highly recommends against modifying the default files and configurations in the local folder are always preferred over default anyways.

Hope that helps,

S

If it helps, please accept it as an answer.

 

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma

dtrelford
Path Finder

I need 443 to be open for a webhook required for functionality of Microsoft Teams Addon for Splunk - (https://splunkbase.splunk.com/app/4994/#/overview), so because of this I can't limit all 443 connections to local only. 

I checked web.conf configuration options (https://docs.splunk.com/Documentation/ITSI/4.5.0/Configure/web.conf) and I don't see an option to limit the splunk web connections to local only. Is this possible?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

I just look web.conf specs and found this:

server.socket_host = <ip_address>
* Host values may be any IPv4 or IPv6 address, or any valid hostname.
* The string 'localhost' is a synonym for '127.0.0.1' (or '::1', if your
  hosts file prefers IPv6).
* The string '0.0.0.0' is a special IPv4 entry meaning "any active interface"
  (INADDR_ANY), and "::" is the similar IN6ADDR_ANY for IPv6.
* Default (if 'listenOnIPV6' is set to "no": 0.0.0.0
* Default (otherwise): "::"

Maybe this helps you by setting it to 127.0.0.1

Another way could be a request client cert which has generated by "secret" CA?

r. Ismo 

dtrelford
Path Finder

This worked. Setting localhost in web.conf and restarting splunkd service stopped web console from being accessible remotely, but is still accessible locally.

server.socket_host = localhost

 

0 Karma

shivanshu1593
Builder

Unfortunately you cannot limit the usage of Splunk web like this.

However, in a firewall, you can have multiple rules for the same port. For your requirement, I'd suggest to keep the incoming connection limited only for Microsoft team's server IP (as it'll send call record data on it. Just create an inbound rule for it. If you want Splunk to connect to it as well, create an outbound rule and it'll do the trick) and your localhost. This will fulfill your requirement of no one being able to access your Splunk web portal apart from being accessed locally, and your webhook will still be working. In the future, if you want someone else to access the port on your Splunk server, you just have to create a firewall rule accordingly. This is usually how servers in a DMZ are set up as well.

Hope this helps,

S

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma

dtrelford
Path Finder

Unfortunately Microsoft does not provide an IP range to whitelist for the Teams app.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...