Tip of the week 16

Secure your Splunk Free server

"Splunk Enterprise is a fully featured, powerful platform for collecting, searching, monitoring and analyzing machine data". There is a free version of Splunk with some limitations (read here), but it's sufficent to analyze fews hosts logs (< 20). The major disadvatage of this edition is the lack of an authentication module for the web interface, which mean anyone can access to your splunk interface and show your data.

One way to secure it is to bind SplunkWeb on localhost and use a ssh tunnel to access it.

Configuration

You just have to edit $SPLUNK_HOME/etc/system/default/web.conf to uncomment and modify this line like that :

server.socket_host = localhost

Restart Splunk :

splunk-server# $SPLUNK_HOME/bin/splunk restart splunk

Verify your configuration :

splunk-server# netstat -an | grep 8000
        tcp   0    0 127.0.0.1:8000   0.0.0.0:*   LISTEN

Access

Now, if you want to access your SplunkWeb interface, you need to setup a ssh tunnel between your pc and your server to forward the remote 8000 port on your pc

natjohan# ssh -L 8000:127.0.0.1:8000 myremoteuser@<splunk-server-address>

Explanation : the -L 8000 option mean you specify the local port on your pc to access to 127.0.0.1:8000 on your remote server

Now your can access to your Splunk interface on your pc by typing https://127.0.0.1:8000 in your browser.

Go Further

Splunk wiki Deploy hardened Splunk

source

Category: Linux
Tags: tool network splunk security ssh

Natjohan

just some notes

natjohan's blog

Posted dim. 14 avril 2013

Tip of the week 16

Secure your Splunk Free server

Configuration

Access

Go Further

Comments