Security
Highlighted

Splunk Enterprise 8089 Vulnerability Scan Results: Resolve these SSL errors when not using SSL?

Explorer

Hello our splunk universal forwarder only on our nessus instance is generating findings on port 8089. Our splunk doesn't use the universal forwarder's SSL (we implemented our own wrapper). So why is it trying to create a connection on 8089 (even though our firewall is blocking it).

I'm required to scan my Splunk Enterprise environment for compliance reasons. When I'm scanning my search heads and indexers ,I keep getting multiple SSL errors for the management port 8089. I've searched and haven't found a way figure out a method to upload a third party cert to fix this or if this is something that I'll just have to make not isn't fixable. I've included some of the vulnerability issues I've found. Not sure if opening a ticket with support would get me the information I need.

SSL Certificate with Wrong Hostname
SSL Certificate Cannot Be Trusted
SSL Self-Signed Certificate

Labels (1)
Highlighted

Re: Splunk Enterprise 8089 Vulnerability Scan Results: Resolve these SSL errors when not using SSL?

Influencer

If you don't need TCP/8089 open on your forwarders and you're blocking it anyway, you can just disable it. Here's a TA you can deploy to your forwarders to do so: https://splunkbase.splunk.com/app/3246/

View solution in original post

0 Karma
Highlighted

Re: Splunk Enterprise 8089 Vulnerability Scan Results: Resolve these SSL errors when not using SSL?

Explorer

So it seems this app is for 6.X, We are running Splunk 7.3. Would this app work for that? In particular, do all we need to do is :

echo """
[httpServer]
disableDefaultPort=true
"""
>> $SPLUNK_HOME/etc/system/local/server.conf

0 Karma
Highlighted

Re: Splunk Enterprise 8089 Vulnerability Scan Results: Resolve these SSL errors when not using SSL?

Influencer

Yes, it will work for Splunk 7 and Splunk 8. The configuration has not changed.

0 Karma
Highlighted

Re: Splunk Enterprise 8089 Vulnerability Scan Results: Resolve these SSL errors when not using SSL?

Motivator

Hello @tashdid

8089 is the splunkd port, I strongly suggest to fix your SSL setup on SH/IDX/HF instead of disabling encryption, especially if you care about security. You can disable it on UF if not needed.

google for splunk ssl best practices to get an overview what can be done.

As a dirty hack you can (temporarely of course) configure firewall (network or local) to block this port for any IPs except your SH/IDX so the scan will not detect it.

0 Karma
Highlighted

Re: Splunk Enterprise 8089 Vulnerability Scan Results: Resolve these SSL errors when not using SSL?

Explorer

Yes this would be on the uf and it is blocked on our firewalls on all instances. However the uf the scanner sits on (since it's localhost) is picking up port 8089 as running as an ssl encrypted traffic.

Do you have a link in which I can configure just that port with a custom cert?

Highlighted

Re: Splunk Enterprise 8089 Vulnerability Scan Results: Resolve these SSL errors when not using SSL?

Motivator

Hello @tashdid

here is the pdf https://conf.splunk.com/session/2015/conf2015_DWaddle_DefensePointSecurity_deploying_SplunkSSLBestPr...

as @masonmorales mentioned, you can disable this port if not needed instead

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.