Security

Server.conf allowRemoteLogin set to never, but splunk server still allows remote login?

dtrelford
Path Finder

I want to stop all remote logins to a Splunk server. To do this, I added the following to /etc/system/local/server.conf (as documented in https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Serverconf😞

allowRemoteLogin = never

After restarting Splunk, web console is still accessible remotely. I also commented out the following in /etc/system/default/server.conf, to rule out a conflict, but issue persists:

# allowRemoteLogin=requireSetPassword

What am I missing?

Labels (3)
Tags (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

I just look web.conf specs and found this:

server.socket_host = <ip_address>
* Host values may be any IPv4 or IPv6 address, or any valid hostname.
* The string 'localhost' is a synonym for '127.0.0.1' (or '::1', if your
  hosts file prefers IPv6).
* The string '0.0.0.0' is a special IPv4 entry meaning "any active interface"
  (INADDR_ANY), and "::" is the similar IN6ADDR_ANY for IPv6.
* Default (if 'listenOnIPV6' is set to "no": 0.0.0.0
* Default (otherwise): "::"

Maybe this helps you by setting it to 127.0.0.1

Another way could be a request client cert which has generated by "secret" CA?

r. Ismo 

View solution in original post

shivanshu1593
Builder

You're merging two different aspects into one here.  The setting ```allowRemoteLogin```, is only applicable for Splunkd service, not the web UI. The document says the very same.

When set to "never", only local logins to splunkd are allowed. Note that this
  still allows remote management through Splunk Web if Splunk Web is on
  the same server.

I believe you're trying to restrict web UI access towards your Splunk server. For that, in the firewall of your server, add the rule, which will allow only localhost to access the Splunk web port. This will do the trick, as this requirement falls more towards server administration, rather than Splunk.

Also, please don't hash anything out or make any sort of changes in default Splunk configuration files, else you're going to find a lot of error messages in Splunk, complaining about Files integrity monitoring. Splunk highly recommends against modifying the default files and configurations in the local folder are always preferred over default anyways.

Hope that helps,

S

If it helps, please accept it as an answer.

 

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma

dtrelford
Path Finder

I need 443 to be open for a webhook required for functionality of Microsoft Teams Addon for Splunk - (https://splunkbase.splunk.com/app/4994/#/overview), so because of this I can't limit all 443 connections to local only. 

I checked web.conf configuration options (https://docs.splunk.com/Documentation/ITSI/4.5.0/Configure/web.conf) and I don't see an option to limit the splunk web connections to local only. Is this possible?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

I just look web.conf specs and found this:

server.socket_host = <ip_address>
* Host values may be any IPv4 or IPv6 address, or any valid hostname.
* The string 'localhost' is a synonym for '127.0.0.1' (or '::1', if your
  hosts file prefers IPv6).
* The string '0.0.0.0' is a special IPv4 entry meaning "any active interface"
  (INADDR_ANY), and "::" is the similar IN6ADDR_ANY for IPv6.
* Default (if 'listenOnIPV6' is set to "no": 0.0.0.0
* Default (otherwise): "::"

Maybe this helps you by setting it to 127.0.0.1

Another way could be a request client cert which has generated by "secret" CA?

r. Ismo 

dtrelford
Path Finder

This worked. Setting localhost in web.conf and restarting splunkd service stopped web console from being accessible remotely, but is still accessible locally.

server.socket_host = localhost

 

0 Karma

shivanshu1593
Builder

Unfortunately you cannot limit the usage of Splunk web like this.

However, in a firewall, you can have multiple rules for the same port. For your requirement, I'd suggest to keep the incoming connection limited only for Microsoft team's server IP (as it'll send call record data on it. Just create an inbound rule for it. If you want Splunk to connect to it as well, create an outbound rule and it'll do the trick) and your localhost. This will fulfill your requirement of no one being able to access your Splunk web portal apart from being accessed locally, and your webhook will still be working. In the future, if you want someone else to access the port on your Splunk server, you just have to create a firewall rule accordingly. This is usually how servers in a DMZ are set up as well.

Hope this helps,

S

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma

dtrelford
Path Finder

Unfortunately Microsoft does not provide an IP range to whitelist for the Teams app.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...