Secure Splunk Enterprise on your network
Under certain conditions, Splunk Enterprise network ports, services, and APIs can become susceptible to attacks. You can prevent those potential attacks by shielding your Splunk Enterprise configuration from the Internet.
Where possible, use a host-based firewall to restrict access to Splunk Web, management, and data ingestion ports. Keep Splunk Enterprise within that firewall. Have your remote users access Splunk Enterprise on a Virtual Private Network.
You also can protect Splunk Enterprise from attacks in the following ways:
- Restrict CLI security by restricting this port to local calls only, from behind a host firewall.
- Unless necessary, do not allow access to forwarders on any port. Additionally, you can enable enhanced forwarder management port protection. See Configure universal forwarder management security.
- Where applicable, enable TLS certificate host name validation. See Enable TLS certificate host name validation.
- Install Splunk Enterprise on an isolated network segment that only trustworthy machines can access.
- Limit port accessibility to only necessary connections. See the following table for the list:
Client instance Server instance Default ports Your browser Splunk Web TCP 8000 Search heads Search peers (indexers) TCP 8089 Forwarders Receivers (indexers) TCP 8089 The Splunk CLI Any Splunk platform instance TCP 8089 Search head cluster members The App Key Value Store service
on other SHC members
TCP 8191 Search heads that run Splunk
Assist from the Monitoring Console
*.scs.splunk.com TCP 443
Harden your Windows installation
Disable unnecessary Splunk Enterprise components
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4
Feedback submitted, thanks!