jedduff
-
Posts
17 -
Joined
-
Last visited
Posts posted by jedduff
-
-
That is not a smart move from you. Letting the http proxy without password on the ESET Appliance!!
I create a user password with this cmd
on /opt/apache/bin
./htpasswd -c /opt/apache/.htpasswd USERNAME
I create a .group on /opt/apache/ with usergroup : USERNAME on it
Added the following string on the config file on /opt/apache/conf/httpd.conf (just before </Proxy>)
AuthType Basic
AuthName "Password Required"
AuthUserFile "/opt/apache/.htpasswd"
AuthGroupFile "/opt/apache/.group"
Require group usergroupAnd voilà! My access file log is clean like water and I can see a the bad guys on the error log.
You should create a kb with this informaiton..
-
When you temporarily disable HTTP proxy (e.g. port 3128 is not accessible or you completely stop the service) does it help? I suspect that something is connecting through HTTP proxy on the appliance and that is causing this bursts. HTTPS communication is not cached so it goes always through proxy.
Hi Michalp!
I'm happy because I found the root of the problem
Someone is trying to use the proxy.
Now...How can I denied all HTTP proxy request without password?
155.133.19.30 - - [27/May/2015:19:57:59 -0400] "GET hxxp://www.proxygen.pl/httptest.phpHTTP/1.1" 200 21
213.133.97.216 - - [27/May/2015:19:58:05 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=hotmanagement.asiaHTTP/1.1" 200 254
213.133.97.216 - - [27/May/2015:19:58:08 -0400] "GET hxxp://toolbarqueries.google.com/tbr?client=navclient-auto&ch=8db2654a7&features=Rank&q=info:naravniporod.siHTTP/1.1" 200 31
155.133.19.30 - - [27/May/2015:19:58:05 -0400] "GET hxxp://www.proxygen.pl/httptest.phpHTTP/1.1" 200 21
91.196.48.31 - - [27/May/2015:19:58:10 -0400] "GET hxxp://179.184.10.23/search?tbo=d&filter=0&nfpr=1&source=hp&num=100&btnG=Search&q=%22site%3a.edu%22+%22%5binurl%3a%2fcampustour%2fframes%2findex.asp%3furl%5d%22+pomidorowaHTTP/1.1" 200 12373
213.133.97.216 - - [27/May/2015:19:58:24 -0400] "GET hxxp://archive.org/wayback/available?url=kopio.ru×tamp=19900101HTTP/1.1" 200 167
213.133.97.216 - - [27/May/2015:19:58:26 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=annaleenashem.blogspot.ruHTTP/1.1" 200 492
10.0.200.72 - - [27/May/2015:19:58:28 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 -
10.0.200.68 - - [27/May/2015:19:58:36 -0400] "POST hxxp://38.90.226.13:80/HTTP/1.1" 200 62
10.0.200.2 - - [27/May/2015:19:58:36 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 -
10.0.200.2 - - [27/May/2015:19:58:36 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 -
10.0.200.2 - - [27/May/2015:19:58:37 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 -
185.25.151.223 - - [27/May/2015:19:58:40 -0400] "GET hxxp://testp2.czar.bielawa.pl/testproxy.php?r=206.162.163.142:3128HTTP/1.1" 200 117
185.25.151.223 - - [27/May/2015:19:58:40 -0400] "CONNECT www.google.pl:443 HTTP/1.1" 200 -
213.133.97.216 - - [27/May/2015:19:58:43 -0400] "GET hxxp://toolbarqueries.google.com/tbr?client=navclient-auto&ch=810983536&features=Rank&q=info:texasbeatz.netHTTP/1.1" 200 31
198.50.151.0 - - [27/May/2015:19:58:26 -0400] "CONNECT www.google.pl:443 HTTP/1.1" 200 -
213.133.97.216 - - [27/May/2015:19:58:47 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=ncdc.unl.eduHTTP/1.1" 200 2060
155.133.19.30 - - [27/May/2015:19:58:59 -0400] "GET hxxp://www.proxygen.pl/httptest.phpHTTP/1.1" 200 21
213.133.97.216 - - [27/May/2015:19:59:05 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=itsnotokcupid.wordpress.comHTTP/1.1" 200 280
155.133.19.30 - - [27/May/2015:19:59:04 -0400] "GET hxxp://www.proxygen.pl/httptest.phpHTTP/1.1" 200 21
91.196.48.31 - - [27/May/2015:19:59:10 -0400] "GET hxxp://179.184.10.23/search?tbo=d&filter=0&nfpr=1&source=hp&num=100&btnG=Search&q=%22%5binurl%3a.edu%2fredirect.aspx%3furl%5d%22+pooperacyjn%c4%85HTTP/1.1" 200 11431
213.133.97.216 - - [27/May/2015:19:59:19 -0400] "GET hxxp://toolbarqueries.google.com/tbr?client=navclient-auto&ch=864f1d511&features=Rank&q=info:mohedaror.seHTTP/1.1" 200 29
10.0.200.68 - - [27/May/2015:19:59:19 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 -
10.0.200.68 - - [27/May/2015:19:59:20 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 -
10.0.200.68 - - [27/May/2015:19:59:20 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 -
213.133.97.216 - - [27/May/2015:19:59:27 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=lasthand.wordpress.comHTTP/1.1" 200 246
104.152.188.72 - - [27/May/2015:19:59:32 -0400] "GET hxxp://lotustours.net/forum/member.php?action=profile&uid=397552HTTP/1.0" 404 689
104.152.188.72 - - [27/May/2015:19:59:33 -0400] "GET hxxp://lotustours.net/HTTP/1.1" 200 25354
213.133.97.216 - - [27/May/2015:19:59:46 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=sparcc.wordpress.comHTTP/1.1" 200 259
64.62.219.170 - - [27/May/2015:19:59:47 -0400] "CONNECT support.microsoft.com:443 HTTP/1.0" 200 -
213.133.97.216 - - [27/May/2015:20:00:01 -0400] "GET hxxp://toolbarqueries.google.com/tbr?client=navclient-auto&ch=86bca50da&features=Rank&q=info:sparksoflife.coHTTP/1.1" 200 29
213.133.97.216 - - [27/May/2015:20:00:00 -0400] "GET hxxp://archive.org/wayback/available?url=mobi-games.ru×tamp=19900101HTTP/1.1" 200 172
-
When you temporarily disable HTTP proxy (e.g. port 3128 is not accessible or you completely stop the service) does it help? I suspect that something is connecting through HTTP proxy on the appliance and that is causing this bursts. HTTPS communication is not cached so it goes always through proxy.
where can i found the http proxy log? Can i enable some trace log?
-
-
-
Yes, every client use the proxy. We have a lot of pc that aren't in the local network we want to manage
-
HI Michal!
All is like you want by default.
-
I stop the bleeding by denied all http and https from these IP range. but it don't resolved the root of the issue
ip4:216.239.32.0/19ip4:64.233.160.0/19ip4:66.249.80.0/20ip4:72.14.192.0/18ip4:209.85.128.0/17ip4:66.102.0.0/20ip4:74.125.0.0/16ip4:64.18.0.0/20ip4:207.126.144.0/20ip4:173.194.0.0/16
-
Hi Jedduff,
I have the same issue, and happen with ERA Server & Proxy OVAs.
I glad to hear you are using vmware viirtual appliances.
although the server is working properly I hope some else have found a fixed for this bug.
regards.
This is just "annoying". not really a big issue.
-
Hi! Download and install the software Windows Installer Cleanup Utility. Open teh software, the Eset romate agent, delete and install again
-
-
-
Hi guys!
I have an annoying problem.
Before all, this is my setup :
ERA Appliance, my internal computers used the internal FQDN of the ERA appliance (ex ERAConsole.localdomain.local) and my external computers (laptop, tablet etc..) are using the external FQDN (eraconsole.domain.ca) with ports forwarded to the Appliance.
When I install the Agent on a external laptop, the laptop name on the Web console is the FQDN of the internet connection.
My question is : How to force the use of the full computer name instead of the DNS? This is pretty annoying and it let the laptops in "lost and found" folder
-
I don't know why, but my server look like it don't update itself
hxxp://i.share.pho.to/976fa728_o.png
I wait like 20 minutes, nothing happen (and my CRON is ok)
My server is the only one I have, ERA Virtual ApplianceCan you help me on this?
-
Hi Tomas
Can't we deploy with GPO the agent and the NOD32? -
HI guys!
First, thanks for the great Antivirus' and security you have.
Second, I would like to know if I could deply the new agent version by GPO. It's easier for us to manage and install eset product this way. When a brand new computer join the domain, the GPO install automatically the right version of NOD32.
I can't found this information in FAQ or manual.
Since Firefox 39 : SSL received a weak ephemeral Diffie-Hellman key. (Error code: ssl_error_weak_server_ephemeral_dh_key)
in ESET PROTECT On-prem (Remote Management)
Posted
My firefox got an update to 39.0
Now, I can't connect to my remote web console (v6). I got this message :
Secure Connection Failed
An error occurred during a connection to consoleeset.soges-tech.ca:8443. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
I use the server appliance in a vmware environment.