Introducing “allowRemoteLogin”

Fellow Security-conscious Splunkers,

Beginning in Splunk 4.1.4, a new option, ‘allowRemoteLogin’, has been added to server.conf to better control access to Splunk’s management port (TCP port 8089 by default).

  • For instances of Splunk Enterprise, this option will be set to ‘requireSetPassword’ by default, which will not allow the ‘admin’ user to remotely authenticate if the password is ‘changeme’
  • For instances of Splunk Free, this option will be set to ‘false’, which will not allow any remote access to Splunk’s management port.
  • Changing the value to ‘always’ will allow remote logins.
    • For instances of Splunk Enterprise, remote authentication will be required.  As such, we strongly recommend changing the default ‘admin’ password
    • For instances of Splunk Free, remote authentication is not available.  As such, we strongly recommending against changing this value on Splunk Free instances.

Example of a remote authentication attempt in 4.1.4:

./splunk search “foo” -uri https://some_server:8089 –auth admin:changeme

Remote login disabled because you have not changed the ‘admin’ password yet. Either set the password, or override by changing the allowRemoteLogin setting in your server.conf file.

This change was implemented to better protect instances of Splunk Enterprise using default credentials as well as instances of Splunk Free that have been intentionally or unintentionally deployed on production servers.

As always, please let us know if you have any questions or comments on this feature, as well as ideas for any other features related to security.


The Splunk Software Security Group

Alex Raitz

Posted by