[Since Firefox 39 : SSL received a weak ephemeral Diffie-Hellman key. (Error code: ssl_error_weak_server_ephemeral_dh_key)]

My firefox got an update to 39.0

 

Now, I can't connect to my remote web console (v6). I got this message :

 

 

Secure Connection Failed

An error occurred during a connection to consoleeset.soges-tech.ca:8443. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

 

I use the server appliance in a vmware environment.

[Eset appliance burst google.ca]

That is not a smart move from you. Letting the http proxy without password on the ESET Appliance!!

 

I create a user password with this cmd

 

on /opt/apache/bin

 

./htpasswd -c /opt/apache/.htpasswd USERNAME

 

I create a .group on /opt/apache/ with usergroup : USERNAME on it

 

 

Added the following string on the config file on /opt/apache/conf/httpd.conf (just before </Proxy>)

 

  AuthType Basic
    AuthName "Password Required"
    AuthUserFile "/opt/apache/.htpasswd"
    AuthGroupFile "/opt/apache/.group"
    Require group usergroup

 

 

And voilà! My access file log is clean like water and I can see a the bad guys on the error log.

 

You should create a kb with this informaiton..

[Eset appliance burst google.ca]

When you temporarily disable HTTP proxy (e.g. port 3128 is not accessible or you completely stop the service) does it help? I suspect that something is connecting through HTTP proxy on the appliance and that is causing this bursts. HTTPS communication is not cached so it goes always through proxy.

 

 

Hi Michalp!

 

I'm happy because I found the root of the problem

 

Someone is trying to use the proxy.

 

Now...How can I denied all HTTP proxy request without password?

 

155.133.19.30 - - [27/May/2015:19:57:59 -0400] "GET hxxp://www.proxygen.pl/httptest.phpHTTP/1.1" 200 21

213.133.97.216 - - [27/May/2015:19:58:05 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=hotmanagement.asiaHTTP/1.1" 200 254

213.133.97.216 - - [27/May/2015:19:58:08 -0400] "GET hxxp://toolbarqueries.google.com/tbr?client=navclient-auto&ch=8db2654a7&features=Rank&q=info:naravniporod.siHTTP/1.1" 200 31

155.133.19.30 - - [27/May/2015:19:58:05 -0400] "GET hxxp://www.proxygen.pl/httptest.phpHTTP/1.1" 200 21

91.196.48.31 - - [27/May/2015:19:58:10 -0400] "GET hxxp://179.184.10.23/search?tbo=d&filter=0&nfpr=1&source=hp&num=100&btnG=Search&q=%22site%3a.edu%22+%22%5binurl%3a%2fcampustour%2fframes%2findex.asp%3furl%5d%22+pomidorowaHTTP/1.1" 200 12373

213.133.97.216 - - [27/May/2015:19:58:24 -0400] "GET hxxp://archive.org/wayback/available?url=kopio.ru&timestamp=19900101HTTP/1.1" 200 167

213.133.97.216 - - [27/May/2015:19:58:26 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=annaleenashem.blogspot.ruHTTP/1.1" 200 492

10.0.200.72 - - [27/May/2015:19:58:28 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 -

10.0.200.68 - - [27/May/2015:19:58:36 -0400] "POST hxxp://38.90.226.13:80/HTTP/1.1" 200 62

10.0.200.2 - - [27/May/2015:19:58:36 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 -

10.0.200.2 - - [27/May/2015:19:58:36 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 -

10.0.200.2 - - [27/May/2015:19:58:37 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 -

185.25.151.223 - - [27/May/2015:19:58:40 -0400] "GET hxxp://testp2.czar.bielawa.pl/testproxy.php?r=206.162.163.142:3128HTTP/1.1" 200 117

185.25.151.223 - - [27/May/2015:19:58:40 -0400] "CONNECT www.google.pl:443 HTTP/1.1" 200 -

213.133.97.216 - - [27/May/2015:19:58:43 -0400] "GET hxxp://toolbarqueries.google.com/tbr?client=navclient-auto&ch=810983536&features=Rank&q=info:texasbeatz.netHTTP/1.1" 200 31

198.50.151.0 - - [27/May/2015:19:58:26 -0400] "CONNECT www.google.pl:443 HTTP/1.1" 200 -

213.133.97.216 - - [27/May/2015:19:58:47 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=ncdc.unl.eduHTTP/1.1" 200 2060

155.133.19.30 - - [27/May/2015:19:58:59 -0400] "GET hxxp://www.proxygen.pl/httptest.phpHTTP/1.1" 200 21

213.133.97.216 - - [27/May/2015:19:59:05 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=itsnotokcupid.wordpress.comHTTP/1.1" 200 280

155.133.19.30 - - [27/May/2015:19:59:04 -0400] "GET hxxp://www.proxygen.pl/httptest.phpHTTP/1.1" 200 21

91.196.48.31 - - [27/May/2015:19:59:10 -0400] "GET hxxp://179.184.10.23/search?tbo=d&filter=0&nfpr=1&source=hp&num=100&btnG=Search&q=%22%5binurl%3a.edu%2fredirect.aspx%3furl%5d%22+pooperacyjn%c4%85HTTP/1.1" 200 11431

213.133.97.216 - - [27/May/2015:19:59:19 -0400] "GET hxxp://toolbarqueries.google.com/tbr?client=navclient-auto&ch=864f1d511&features=Rank&q=info:mohedaror.seHTTP/1.1" 200 29

10.0.200.68 - - [27/May/2015:19:59:19 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 -

10.0.200.68 - - [27/May/2015:19:59:20 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 -

10.0.200.68 - - [27/May/2015:19:59:20 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 -

213.133.97.216 - - [27/May/2015:19:59:27 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=lasthand.wordpress.comHTTP/1.1" 200 246

104.152.188.72 - - [27/May/2015:19:59:32 -0400] "GET hxxp://lotustours.net/forum/member.php?action=profile&uid=397552HTTP/1.0" 404 689

104.152.188.72 - - [27/May/2015:19:59:33 -0400] "GET hxxp://lotustours.net/HTTP/1.1" 200 25354

213.133.97.216 - - [27/May/2015:19:59:46 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=sparcc.wordpress.comHTTP/1.1" 200 259

64.62.219.170 - - [27/May/2015:19:59:47 -0400] "CONNECT support.microsoft.com:443 HTTP/1.0" 200 -

213.133.97.216 - - [27/May/2015:20:00:01 -0400] "GET hxxp://toolbarqueries.google.com/tbr?client=navclient-auto&ch=86bca50da&features=Rank&q=info:sparksoflife.coHTTP/1.1" 200 29

213.133.97.216 - - [27/May/2015:20:00:00 -0400] "GET hxxp://archive.org/wayback/available?url=mobi-games.ru&timestamp=19900101HTTP/1.1" 200 172

 

[Eset appliance burst google.ca]

When you temporarily disable HTTP proxy (e.g. port 3128 is not accessible or you completely stop the service) does it help? I suspect that something is connecting through HTTP proxy on the appliance and that is causing this bursts. HTTPS communication is not cached so it goes always through proxy.

 

where can i found the http proxy log? Can i enable some trace log?

[After putting Vmware tools, I got "First time appliance configuration was not possible"]

Same thing for me

[Eset appliance burst google.ca]

And by proxy, I mean this (view attach file)

[Eset appliance burst google.ca]

Yes, every client use the proxy. We have a lot of pc that aren't in the local network we want to manage

[After putting Vmware tools, I got "First time appliance configuration was not possible"]

HI Michal!

 

All is like you want by default.

[Eset appliance burst google.ca]

I stop the bleeding by denied all http and https from these IP range. but it don't resolved the root of the issue

ip4:216.239.32.0/19ip4:64.233.160.0/19ip4:66.249.80.0/20ip4:72.14.192.0/18ip4:209.85.128.0/17ip4:66.102.0.0/20ip4:74.125.0.0/16ip4:64.18.0.0/20ip4:207.126.144.0/20ip4:173.194.0.0/16

[After putting Vmware tools, I got "First time appliance configuration was not possible"]

Hi Jedduff,

 

I have the same issue, and happen with ERA Server & Proxy OVAs.

 

I glad to hear you are using vmware viirtual appliances.

 

although the server is working properly I hope some else have found a fixed for this bug.

 

regards.

 

 

This is just "annoying". not really a big issue.

[ESET Remote Administrator Agent Setup Error]

Hi! Download and install the software Windows Installer Cleanup Utility. Open teh software, the Eset romate agent, delete and install again

[After putting Vmware tools, I got "First time appliance configuration was not possible"]

I guys!

 

yesterday, I deploy the Vmware tools on my Eset appliance

 

Now this appeared on my appliance

 

The server is running smoothly.

 

How can I edit this?

 

[Eset appliance burst google.ca]

ok, this is really weird,

 

We got the message "unusual traffic detected" on google when we doing google search.

 

I did some analysis and the culprit is...the Era appliance server.

 

Some module is doing this and I don't know why.

 

Where can I found the log for this issue on the Era appliance?

 

 

 

 

[Force using FQDN of computer name instead of DNS]

Hi guys!

 

I have an annoying problem.

 

Before all, this is my setup :

 

ERA Appliance, my internal computers used the internal FQDN of the ERA appliance (ex ERAConsole.localdomain.local) and my external computers (laptop, tablet etc..) are using the external FQDN (eraconsole.domain.ca) with ports forwarded to the Appliance.

 

When I install the Agent on a external laptop, the laptop name on the Web console is the FQDN of the internet connection.

 

My question is : How to force the use of the full computer name instead of the DNS? This is pretty annoying and it let the laptops in "lost and found" folder

 

 

[Upgrade ERA Server Virtual Appliance 6.1.28 to version 6.1.33]

I don't know why, but my server look like it don't update itself

 

hxxp://i.share.pho.to/976fa728_o.png

 

I wait like 20 minutes, nothing happen (and my CRON is ok)

My server is the only one I have, ERA Virtual Appliance

 

Can you help me on this?

[ERA 6.1 and agent compliant with GPO?]

Hi Tomas

Can't we deploy with GPO the agent and the NOD32?

[ERA 6.1 and agent compliant with GPO?]

HI guys!

 

First, thanks for the great Antivirus' and security you have.

 

Second, I would like to know if I could deply the new agent version by GPO. It's easier for us to manage and install eset product this way. When a brand new computer join the domain, the GPO install automatically the right version of NOD32.

 

I can't found this information in FAQ or manual.