I want to stop all remote logins to a Splunk server. To do this, I added the following to /etc/system/local/server.conf (as documented in https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Serverconf😞
allowRemoteLogin = never
After restarting Splunk, web console is still accessible remotely. I also commented out the following in /etc/system/default/server.conf, to rule out a conflict, but issue persists:
# allowRemoteLogin=requireSetPassword
What am I missing?
Hi
I just look web.conf specs and found this:
server.socket_host = <ip_address> * Host values may be any IPv4 or IPv6 address, or any valid hostname. * The string 'localhost' is a synonym for '127.0.0.1' (or '::1', if your hosts file prefers IPv6). * The string '0.0.0.0' is a special IPv4 entry meaning "any active interface" (INADDR_ANY), and "::" is the similar IN6ADDR_ANY for IPv6. * Default (if 'listenOnIPV6' is set to "no": 0.0.0.0 * Default (otherwise): "::"
Maybe this helps you by setting it to 127.0.0.1
Another way could be a request client cert which has generated by "secret" CA?
r. Ismo
You're merging two different aspects into one here. The setting ```allowRemoteLogin```, is only applicable for Splunkd service, not the web UI. The document says the very same.
When set to "never", only local logins to splunkd are allowed. Note that this still allows remote management through Splunk Web if Splunk Web is on the same server.
I believe you're trying to restrict web UI access towards your Splunk server. For that, in the firewall of your server, add the rule, which will allow only localhost to access the Splunk web port. This will do the trick, as this requirement falls more towards server administration, rather than Splunk.
Also, please don't hash anything out or make any sort of changes in default Splunk configuration files, else you're going to find a lot of error messages in Splunk, complaining about Files integrity monitoring. Splunk highly recommends against modifying the default files and configurations in the local folder are always preferred over default anyways.
Hope that helps,
S
If it helps, please accept it as an answer.
I need 443 to be open for a webhook required for functionality of Microsoft Teams Addon for Splunk - (https://splunkbase.splunk.com/app/4994/#/overview), so because of this I can't limit all 443 connections to local only.
I checked web.conf configuration options (https://docs.splunk.com/Documentation/ITSI/4.5.0/Configure/web.conf) and I don't see an option to limit the splunk web connections to local only. Is this possible?
Hi
I just look web.conf specs and found this:
server.socket_host = <ip_address> * Host values may be any IPv4 or IPv6 address, or any valid hostname. * The string 'localhost' is a synonym for '127.0.0.1' (or '::1', if your hosts file prefers IPv6). * The string '0.0.0.0' is a special IPv4 entry meaning "any active interface" (INADDR_ANY), and "::" is the similar IN6ADDR_ANY for IPv6. * Default (if 'listenOnIPV6' is set to "no": 0.0.0.0 * Default (otherwise): "::"
Maybe this helps you by setting it to 127.0.0.1
Another way could be a request client cert which has generated by "secret" CA?
r. Ismo
This worked. Setting localhost in web.conf and restarting splunkd service stopped web console from being accessible remotely, but is still accessible locally.
server.socket_host = localhost
Unfortunately you cannot limit the usage of Splunk web like this.
However, in a firewall, you can have multiple rules for the same port. For your requirement, I'd suggest to keep the incoming connection limited only for Microsoft team's server IP (as it'll send call record data on it. Just create an inbound rule for it. If you want Splunk to connect to it as well, create an outbound rule and it'll do the trick) and your localhost. This will fulfill your requirement of no one being able to access your Splunk web portal apart from being accessed locally, and your webhook will still be working. In the future, if you want someone else to access the port on your Splunk server, you just have to create a firewall rule accordingly. This is usually how servers in a DMZ are set up as well.
Hope this helps,
S
Unfortunately Microsoft does not provide an IP range to whitelist for the Teams app.