Security

Splunk Enterprise 8089 Vulnerability Scan Results: Resolve these SSL errors when not using SSL?

tashdid
Explorer

Hello our splunk universal forwarder only on our nessus instance is generating findings on port 8089. Our splunk doesn't use the universal forwarder's SSL (we implemented our own wrapper). So why is it trying to create a connection on 8089 (even though our firewall is blocking it).

I'm required to scan my Splunk Enterprise environment for compliance reasons. When I'm scanning my search heads and indexers ,I keep getting multiple SSL errors for the management port 8089. I've searched and haven't found a way figure out a method to upload a third party cert to fix this or if this is something that I'll just have to make not isn't fixable. I've included some of the vulnerability issues I've found. Not sure if opening a ticket with support would get me the information I need.

SSL Certificate with Wrong Hostname
SSL Certificate Cannot Be Trusted
SSL Self-Signed Certificate

Labels (1)
1 Solution

masonmorales
Influencer

If you don't need TCP/8089 open on your forwarders and you're blocking it anyway, you can just disable it. Here's a TA you can deploy to your forwarders to do so: https://splunkbase.splunk.com/app/3246/

View solution in original post

PavelP
Motivator

Hello @tashdid

8089 is the splunkd port, I strongly suggest to fix your SSL setup on SH/IDX/HF instead of disabling encryption, especially if you care about security. You can disable it on UF if not needed.

google for splunk ssl best practices to get an overview what can be done.

As a dirty hack you can (temporarely of course) configure firewall (network or local) to block this port for any IPs except your SH/IDX so the scan will not detect it.

tashdid
Explorer

Yes this would be on the uf and it is blocked on our firewalls on all instances. However the uf the scanner sits on (since it's localhost) is picking up port 8089 as running as an ssl encrypted traffic.

Do you have a link in which I can configure just that port with a custom cert?

PavelP
Motivator

Hello @tashdid

here is the pdf https://conf.splunk.com/session/2015/conf2015_DWaddle_DefensePointSecurity_deploying_SplunkSSLBestPr...

as @masonmorales mentioned, you can disable this port if not needed instead

0 Karma

masonmorales
Influencer

If you don't need TCP/8089 open on your forwarders and you're blocking it anyway, you can just disable it. Here's a TA you can deploy to your forwarders to do so: https://splunkbase.splunk.com/app/3246/

View solution in original post

tashdid
Explorer

So it seems this app is for 6.X, We are running Splunk 7.3. Would this app work for that? In particular, do all we need to do is :

echo """
[httpServer]
disableDefaultPort=true
"""
>> $SPLUNK_HOME/etc/system/local/server.conf

0 Karma

masonmorales
Influencer

Yes, it will work for Splunk 7 and Splunk 8. The configuration has not changed.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!