Splunk is a great data search, monitoring and analysis tool, and a cut-down version of the tool – Splunk Free – is available for learning/testing purposes.
One of the limitations of the free version is that there are no user roles – you just login directly as an administrator without authentication. I guess this is one way of encouraging businesses to pay for the product, as nobody is going to want to put sensitive data on the network allowing anonymous access (right?).
For me, even on my home network, I would prefer not to have anonymous admin services available. Here’s what it looks like – straight in with no logon:
There is a relatively simple solution – SSH port forwarding (also commonly known as SSH tunnelling). SSH is a standard administration tool for Linux, and it includes some useful functionality that we can leverage here. If you’re using a Windows client machine, you can do the same thing with PuTTY.
Regular connectivity works like this:
The Splunk Web service listens by default on TCP port 8000 on all network interfaces, making it accessible on the local network.
Using SSH port forwarding (see below), port 8000 on the client machine is forwarded to localhost port 8000 on the Splunk Linux server. All the traffic goes over the network using the encrypted SSH connection. There is no need, therefore, for the Splunk Web service to be listening for requests on the local network. Disabling network access effectively disables unauthenticated access, which is what we want here. As far as the Splunk is concerned, you are accessing the Splunk Web service from the Splunk Linux server itself. Sneaky!
The steps to implement this are as follows:
Step 1: reconfigure the Splunk Web service so that it is only accessible locally from the server itself (i.e. not visible on the network)
To do this, create the following file (adapt accordingly if you installed Splunk to a different location):
/opt/splunk/etc/system/local/web.conf
Add the contents as follows:
[settings] server.socket_host = 127.0.0.1
Restart Splunk for the changes to take effect. The web management interface will no longer be directly accessible from your client machine.
Step 2: make an SSH connection to the Splunk server
ssh -L 8000:127.0.0.1:8000 user@splunkserver
Step 3: browse to the Splunk web interface using the local port specified in the previous step
The following video shows the interface no longer being accessible directly, and then a connection being made over SSH by browsing to http://127.0.0.1:8000
The Splunk Web service is now only accessible to those with a valid logon to the Splunk Linux server.
Steve's Home Lab 