Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why Splunk started as non-root cannot bind ports?

ralphw_SAIC
Path Finder
‎12-07-2015 12:16 PM 
12-07-2015 15:08:37.498 -0500 INFO  TcpInputConfig - IPv4 port 550 is reserved for splunk 2 splunk
12-07-2015 15:08:37.498 -0500 INFO  TcpInputConfig - IPv4 port 550 will negotiate new-s2s protocol
12-07-2015 15:08:37.498 -0500 ERROR TcpInputProc - Could not bind to port IPv4 port 550
12-07-2015 15:08:37.498 -0500 ERROR TcpInputProc - Could not bind to port IPv4 port 550
12-07-2015 15:08:37.502 -0500 ERROR UDPInputProcessor - Error binding to socket in UDPInputProcessor: Permission denied

Any idea of what could be causing this? Nothing is using port 550. If I start Splunk as root it binds port 550 without an issue.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎12-07-2015 12:42 PM

Hi ralph_SAIC,

this is not a Splunk problem, this is based on the so called privileged ports. The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feature of your OS, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.

If you want to use the port 550 with Splunk, create a new Splunk tcp input on port 1550 and use a iptables rule to route input for port 550 to the Splunk port 1550:

 /usr/sbin/iptables -t nat -A PREROUTING -m tcp -p tcp --dport 550 -j REDIRECT --to-ports 1550

Your Sysadmin can do this for you.

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎12-07-2015 12:42 PM

Hi ralph_SAIC,

this is not a Splunk problem, this is based on the so called privileged ports. The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feature of your OS, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.

If you want to use the port 550 with Splunk, create a new Splunk tcp input on port 1550 and use a iptables rule to route input for port 550 to the Splunk port 1550:

 /usr/sbin/iptables -t nat -A PREROUTING -m tcp -p tcp --dport 550 -j REDIRECT --to-ports 1550

Your Sysadmin can do this for you.

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

ralphw_SAIC
Path Finder
‎12-08-2015 05:08 AM

we don't use iptables. i did find one thing about setcap, but still trying to figure it out as it does not seem to work.

0 Karma
Reply
Solved! Jump to solution

ralphw_SAIC
Path Finder
‎12-09-2015 06:52 AM

Unfortunately I have not found a workaround for the shared libraries issue. Guess this will have to be a one off machine till I get this worked out.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎12-08-2015 11:44 AM

Hi ralphw_SAIC,

I found these two links:
https://lists.linuxcontainers.org/pipermail/lxc-users/2014-July/007455.html
https://wiki.apache.org/httpd/NonRootPortBinding
The first is about setcap for Splunk, the second a generic from Apache but does also apply to Splunk.

Please mark this as answered, because your initial question is answered - thanks 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...