Jump to content
ShadsNZ

How to configure ciphers for communication between ERA Server & Web Console

Recommended Posts

Posted (edited)

A security scan reported vulnerabilities on port 2223 (tcp over SSL) of our ESET appliance server.

I understand this port is used for communications between the ERA Web Console and ERA Server itself.  Where can I configure the ciphers used for this service/port?

I've previously changed TLS & Cipher settings for the Web Console itself but can't find the relevant area to configure the service on port 2223

Thanks.

ESET Security Management Center (Server), Version 7.0 (7.0.471.0)
ESET Security Management Center (Web Console), Version 7.0 (7.0.429.0)
CentOS Linux 7.6.1810

 

 

RESULTS:

CIPHER KEY-EXCHANGE AUTHENTICATION MAC ENCRYPTION(KEY-STRENGTH) GRADE
TLSv1.2 WITH 64-BIT CBC CIPHERS IS SUPPORTED          
DES-CBC3-SHA RSA RSA SHA1 3DES(168) MEDIUM
EDH-RSA-DES-CBC3-SHA DH RSA SHA1 3DES(168) MEDIUM
ECDHE-RSA-DES-CBC3-SHA ECDH RSA SHA1 3DES(168) MEDIUM
Edited by ShadsNZ
Version and OS added.

Share this post


Link to post
Share on other sites

For anyone's future reference, ESET support advised there wasn't a way to modify the ciphers for the service on this port.  So we resolved this issue by removing the firewall rule for port 2223 from the appliance.  This will impact server assisted installations but we don't utilise that function.  

 

iptables -S

ip6tables -S

iptables -L -n

ip6tables -L -n

iptables -R INPUT 4 -p tcp --dport 2222 -j ACCEPT

ip6tables -R INPUT 4 -p tcp --dport 2222 -j ACCEPT

iptables -L -n

ip6tables -L -n

 

Note you need to ensure you replace the correct rule (in our case it was line 4).

 

 

Share this post


Link to post
Share on other sites
10 hours ago, ShadsNZ said:

For anyone's future reference, ESET support advised there wasn't a way to modify the ciphers for the service on this port.  So we resolved this issue by removing the firewall rule for port 2223 from the appliance.  This will impact server assisted installations but we don't utilise that function. 

For future reference -> this is actually bug in ESMC itself and should be resolved for upcoming releases. In case there would be no issue, weak ciphers would be disabled in so called "Advanced security" mode which is available in ESMC's configuration. Those weak ciphers are available only for older ERA Agents connecting from even older operating systems (Windows XP, ...) where no secure algorithms were available in system.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...