Security

Splunk Web is not accessible from remote computers

KSluchanko
Engager

Hello,

I have Splunk 8.0.1 installed on Ububntu 18.04.4 LTS. I can connect to port 8000 from the same server with any URL (localhost, 127.0.0.1, server name, server IP address). I can see login page if I use SSH tunneling connecting from remote host with redirect to localhost:8000. But I cannot connect from remote host entering any valid URL to browser - connection times out.

I have no firewall on my server. I have all Splunk services running and all services ports listening. I can see incoming packets with tcpdump - but no replies. I can connect to other services (SSH and Apache, for example) on my server.

There are no errors in log files - and no events for incoming connections in web_access.log.

What else have I to check?

Best regards,
Cyril

Tags (1)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Allow the traffic in your firewall, e.g. iptables. Keep in mind that tcpdump is in front of iptables, so it will see traffic even if iptables drops it.

View solution in original post

KSluchanko
Engager

Hi Martin,

There are no any firewall in effect on the server, as I mentioned above. This is not a point.

Best regards,
Cyril

UPDATE: Well, I was completely wrong. After some additional investigations I found that negative output of "systemctl status iptables" and "service status iptables" on this server means nothing. Thanks to the guy that have installed and tuned it this way. Resetting default policy to ACCEPT done the thing. Thanks, Martin.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

A default policy of accept may be undesirable in most environments.

0 Karma

KSluchanko
Engager

This server is quick solution for temporary use in isolated environment - so it does not matter much. Then it will be reinstalled.

0 Karma

rvany
Communicator

Just an add-on:
What kind of system do you have? E.g. RedHat currently uses firewalld by default - so you won't find any iptables-service. Maybe "the guy that have installed [...] this" is not that bad 😉

0 Karma

KSluchanko
Engager

Look at initial post. It's Ubuntu 18.04, upgraded from 16.04. It uses ufw by default (and, of course, I've checked 'ufw status' output), and I've tried other options like 'firewall-cmd --state'. So I still think that such kind of 'stealth' firewall configuration is not the best way to operate.

0 Karma

rvany
Communicator

Yes, right, I read that Ubuntu 18.04 - and then immediately forgot it - my bad 😉

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Allow the traffic in your firewall, e.g. iptables. Keep in mind that tcpdump is in front of iptables, so it will see traffic even if iptables drops it.

View solution in original post

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!