Secure Splunk Enterprise on your network
Under certain conditions, Splunk Enterprise network ports, services, and APIs can become susceptible to attacks over the network. You can prevent those potential attacks by shielding your Splunk Enterprise configuration from the Internet.
Make the following considerations to reduce the network attack surface of your Splunk Enterprise deployment:
- Where possible, use a firewall to restrict access to Splunk Web, management, and data ingestion ports. Keep Splunk Enterprise components inside that network firewall.
- Where possible, have any remote Splunk Enterprise users access the deployment through a virtual private network.
You also can protect Splunk Enterprise from physical and network attacks in the following ways:
- Restrict CLI security by restricting this port to local calls only, from behind a host firewall.
- Unless necessary, do not allow access to forwarders on any network port. Additionally, you can enable enhanced forwarder management network port protection. See Configure universal forwarder management security.
- Where applicable, enable TLS certificate host name validation between individual machines in a Splunk Enterprise deployment. See Configure TLS certificate host name validation for secured connections between Splunk software components.
- Install Splunk Enterprise on an isolated network segment that only trustworthy machines can access.
- Limit network port accessibility to only necessary connections. See the following table for the list:
Client instance Server instance Default ports Your browser Splunk Web TCP 8000 Search heads Search peers (indexers) TCP 8089 Forwarders Receivers (indexers) TCP 8089 The Splunk CLI Any Splunk platform instance TCP 8089 Search head cluster members The App Key Value Store service
on other SHC membersTCP 8191 Search heads that run Splunk
Assist from the Monitoring Console*.scs.splunk.com TCP 443
Harden the Splunk Enterprise installation directory on Windows | Disable unnecessary Splunk Enterprise components |
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2
Feedback submitted, thanks!