Previous Topic: SAN storage, Hot/Cold/Frozen databases and access speeds | Next Topic: Duplicate events?
I read this in the documentation regarding the management port:
8089 - Splunkd management port. Used to communicate with the splunkd daemon. The SplunkWeb interface talks to splunkd on this port, as does the command-line interface and any distributed connections from other servers.
Is this port still open on Splunk instances that have been defined as forwarders?
Yes, this port will be used for remote administration, deployment client/server activity, etc.
In terms of security, should such a port be open on an internet-facing device?
That is an issue of concern for me then. As I wish to install forwarders on web servers. Do you have anything to suggest?
You can harden your servers by configuring IP Tables to only allow connections to 8089 from internal IPs. However, I would recommend having your webservers in a DMZ with a firewall protecting all non-necessary ports from the Internet. Any box that is directly connected to the Internet without a firewall in front of it (even bastion hosts) is a huge liability.
You must be logged in to post a reply.
Flash required to play this video.
Click here to download the free Flash Player.