Security

Why Splunk started as non-root cannot bind ports?

ralphw_SAIC
Path Finder
12-07-2015 15:08:37.498 -0500 INFO  TcpInputConfig - IPv4 port 550 is reserved for splunk 2 splunk
12-07-2015 15:08:37.498 -0500 INFO  TcpInputConfig - IPv4 port 550 will negotiate new-s2s protocol
12-07-2015 15:08:37.498 -0500 ERROR TcpInputProc - Could not bind to port IPv4 port 550
12-07-2015 15:08:37.498 -0500 ERROR TcpInputProc - Could not bind to port IPv4 port 550
12-07-2015 15:08:37.502 -0500 ERROR UDPInputProcessor - Error binding to socket in UDPInputProcessor: Permission denied

Any idea of what could be causing this? Nothing is using port 550. If I start Splunk as root it binds port 550 without an issue.

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi ralph_SAIC,

this is not a Splunk problem, this is based on the so called privileged ports. The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feature of your OS, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.

If you want to use the port 550 with Splunk, create a new Splunk tcp input on port 1550 and use a iptables rule to route input for port 550 to the Splunk port 1550:

 /usr/sbin/iptables -t nat -A PREROUTING -m tcp -p tcp --dport 550 -j REDIRECT --to-ports 1550

Your Sysadmin can do this for you.

Hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi ralph_SAIC,

this is not a Splunk problem, this is based on the so called privileged ports. The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feature of your OS, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.

If you want to use the port 550 with Splunk, create a new Splunk tcp input on port 1550 and use a iptables rule to route input for port 550 to the Splunk port 1550:

 /usr/sbin/iptables -t nat -A PREROUTING -m tcp -p tcp --dport 550 -j REDIRECT --to-ports 1550

Your Sysadmin can do this for you.

Hope this helps ...

cheers, MuS

ralphw_SAIC
Path Finder

we don't use iptables. i did find one thing about setcap, but still trying to figure it out as it does not seem to work.

0 Karma

ralphw_SAIC
Path Finder

Unfortunately I have not found a workaround for the shared libraries issue. Guess this will have to be a one off machine till I get this worked out.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi ralphw_SAIC,

I found these two links:
https://lists.linuxcontainers.org/pipermail/lxc-users/2014-July/007455.html
https://wiki.apache.org/httpd/NonRootPortBinding
The first is about setcap for Splunk, the second a generic from Apache but does also apply to Splunk.

Please mark this as answered, because your initial question is answered - thanks 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...