Jump to content

How to configure ciphers for communication between ERA Server & Web Console


Recommended Posts

A security scan reported vulnerabilities on port 2223 (tcp over SSL) of our ESET appliance server.

I understand this port is used for communications between the ERA Web Console and ERA Server itself.  Where can I configure the ciphers used for this service/port?

I've previously changed TLS & Cipher settings for the Web Console itself but can't find the relevant area to configure the service on port 2223

Thanks.

ESET Security Management Center (Server), Version 7.0 (7.0.471.0)
ESET Security Management Center (Web Console), Version 7.0 (7.0.429.0)
CentOS Linux 7.6.1810

 

 

RESULTS:

CIPHER KEY-EXCHANGE AUTHENTICATION MAC ENCRYPTION(KEY-STRENGTH) GRADE
TLSv1.2 WITH 64-BIT CBC CIPHERS IS SUPPORTED          
DES-CBC3-SHA RSA RSA SHA1 3DES(168) MEDIUM
EDH-RSA-DES-CBC3-SHA DH RSA SHA1 3DES(168) MEDIUM
ECDHE-RSA-DES-CBC3-SHA ECDH RSA SHA1 3DES(168) MEDIUM
Edited by ShadsNZ
Version and OS added.
Link to comment
Share on other sites

For anyone's future reference, ESET support advised there wasn't a way to modify the ciphers for the service on this port.  So we resolved this issue by removing the firewall rule for port 2223 from the appliance.  This will impact server assisted installations but we don't utilise that function.  

 

iptables -S

ip6tables -S

iptables -L -n

ip6tables -L -n

iptables -R INPUT 4 -p tcp --dport 2222 -j ACCEPT

ip6tables -R INPUT 4 -p tcp --dport 2222 -j ACCEPT

iptables -L -n

ip6tables -L -n

 

Note you need to ensure you replace the correct rule (in our case it was line 4).

 

 

Link to comment
Share on other sites

  • ESET Staff
10 hours ago, ShadsNZ said:

For anyone's future reference, ESET support advised there wasn't a way to modify the ciphers for the service on this port.  So we resolved this issue by removing the firewall rule for port 2223 from the appliance.  This will impact server assisted installations but we don't utilise that function. 

For future reference -> this is actually bug in ESMC itself and should be resolved for upcoming releases. In case there would be no issue, weak ciphers would be disabled in so called "Advanced security" mode which is available in ESMC's configuration. Those weak ciphers are available only for older ERA Agents connecting from even older operating systems (Windows XP, ...) where no secure algorithms were available in system.

Link to comment
Share on other sites

  • 1 month later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...