Security

Splunkweb is accessed remotely with Free License configured... Bug?

ageld
Path Finder

I am running Splunk 4.1.7 as forwarder (not as LightForwarder) on Windows 7 laptop. It sends data to our Splunk indexer and is configured with Free license. SplunkWeb interface is still accessed remotely despite the statements in server.conf.

# The following 'allowRemoteLogin' setting controls remote management of your splunk instance.
#  - If set to 'always', all remote logins are allowed.
#  - If set to 'never', only local logins to splunkd will be allowed. Note that this will still allow
#    remote management through splunkweb if splunkweb is on the same server.
#  - If set to 'requireSetPassword' (default behavior):
#     1. In the free license, remote login is disabled.
#     2. In the pro license, remote login is only disabled for the admin user that has not changed their default password
allowRemoteLogin=requireSetPassword

As you can see the config file states that in default configuration allowRemoteLogin=requireSetPassword "In the free licese, remote login is disabled".

Setting "allowRemoteLogin=never in server.conf under "local" directory did not fix the issue.

I also tried to set

server.socket_host = 127.0.0.1

in web.conf file (local directory) to force Web interface to only listen on localhost (loopback interface). It did not help also.

I need to do something to protect Web UI. I do not want it off completely, since it is convenient to configure Data Input with. Running local firewall is not an option in my case.

I wish Splunk developers developed source IP address restrictions when it comes to Web UI. I am surprised it is not built into the product. It is very easy to implement. Disabling logons under Free license and not restricting access to Admin UI makes the whole system vulnerable. I do not foresee anybody to license each and every forwarder in their environment -- it's just way too expensive.

If someone figured out how to:

  • restrict remote access to Web UI by source IP address without running OS firewall
  • force SplunkWeb process to only bind to loopback interface

please, let me know.

Tags (1)
0 Karma
1 Solution

David
Splunk Employee
Splunk Employee

I'm not sure it's possible to restrict the source IP address, but you can bind to the loopback article by following the following instructions:

http://answers.splunk.com/questions/134/how-do-i-bind-splunk-to-a-specific-interface

I've done this on my server and verified that it works.

I believe the reason why allowRemoteLogin isn't acting how you would like it to is that it is controlling access to the splunkd process. Setting that to never will prevent a splunk instance on another box from logging in. Since it only controls access to splunkd, though, if a local splunkweb instance is running, any logins through that service are considered "local."

I can't necessarily tell you why server.socket_host doesn't work (as that would logically follow) except to say that I tried a few different methods when I configured it on my box, and this was the first one to work for me.

Let me know if that doesn't sort everything out for you.

View solution in original post

0 Karma

sideview
SplunkTrust
SplunkTrust

The free license simply has no authentication at all. I suspect that those comments in server.conf are wrong, or things got confused at some point. At any rate on the free license there is no "login" to allow or disallow.

That said, I don't see why you would want to use the free license on a forwarder. Use the forwarder license and make sure that your forwarder isn't indexing any significant data. Is there a downside?

0 Karma

RobertFidler
New Member

But if you bind to a 127/8 address, how can you populate your splunk with logs from a universal forwarder on another system?

0 Karma

proctorgeorge
Path Finder

I am just wondering if you are using the Free License on the indexer or the forwarders? If you were talking about the forwarders, then do you mean the Free License or the Forwarder License. I am wondering if this might change how configurations are handled.

0 Karma

ageld
Path Finder

Free license is installed only on a forwarder. Indexer is fully licensed

0 Karma

David
Splunk Employee
Splunk Employee

I'm not sure it's possible to restrict the source IP address, but you can bind to the loopback article by following the following instructions:

http://answers.splunk.com/questions/134/how-do-i-bind-splunk-to-a-specific-interface

I've done this on my server and verified that it works.

I believe the reason why allowRemoteLogin isn't acting how you would like it to is that it is controlling access to the splunkd process. Setting that to never will prevent a splunk instance on another box from logging in. Since it only controls access to splunkd, though, if a local splunkweb instance is running, any logins through that service are considered "local."

I can't necessarily tell you why server.socket_host doesn't work (as that would logically follow) except to say that I tried a few different methods when I configured it on my box, and this was the first one to work for me.

Let me know if that doesn't sort everything out for you.

0 Karma

ageld
Path Finder

David, Thanks a lot! It worked like a charm!

0 Karma

David
Splunk Employee
Splunk Employee

I just tested it with my LWF. I specified the bindip, verified that it was listening on the internal only interface, and then verified that it was still forwarding logs. I believe the listen IP is a totally different function from the ability to send data out. (This was tested on Windows, though I would expect it to function the same on Linux)

0 Karma

ageld
Path Finder

I read the article you suggested... Somewhere I saw that setting SPLUNK_BINDIP=127.0.0.1

will bind Splunk process to the loopback address not SplunkWeb. This might lead to break in communication between the forwarder and the indexer.

I wish Splunk developers would just develop an access list, restricting/permitting certain IPs to connect to SplunkWeb interface... 😞 😞 😞

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...