Jump to content

Exposing Tomcat to the internet


jimwillsher
 Share

Go to solution Solved by Timos,

Recommended Posts

Hi

 

I'm looking for advice please.I currently have ERA 6.4 deployed on a Hyper-V VM, and I have installed a commercial wildcard certificate. I access ERA internally via https://av.mydomain.comon port 443.

 

As I travel a lot, I'd like to have easier access to ERA to monitor things, so I am considering changing the port from 443 and opening the port on our firewall.

 

Would I be crazy to do this? I know that Tomcat has generally had a good track record on security and CVEs etc. I note that ERA ships with 7.0.55 of Tomcat and 7.0.70 seems to be the latest version. Should I consider upgrading to 7.0.70? Is there an ESET-approved or ESET-documented way to do this? Or should I remain at 7.0.55?

 

All thoughts/suggestions welcome.

 

Many thanks

 

 

Jim

Link to comment
Share on other sites

  • Former ESET Employees

Releases of ERA always contains newest Tomcat 7, but upgrade task applies only to webconsole, not to Tomcat. Your 7.0.55 is from your first installation.

 

 

For more security I recommend to use another machine which will serve only webconsole:

  1. You have installed ERA Server on machine A.
  2. Install webconsole+tomcat on some machine B with all-in-one installer. (Possible if you run Setup.exe from commandline with parameters: Setup.exe --mode webconsole). Before install, you can substitute tomcat installer with newer version of Tomcat 7. You must use all-in-installer with same version as the server is, because webconsole and server wouldn't work together.
  3. Set up tomcat to your needs (you mentioned ssl cert).
  4. Set up webconsole to connect to ERA Server on machine A. It is possible by configuration file located in C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\webapps\era\WEB-INF\classes\sk\eset\era\g2webconsole\server\modules\config\EraWebServerConfig.properties (default: localhost 2223). For more security, you can set here public key of ERA Cert Authority which signed server certificate. Webconsole would then connect only to servers, which authenticates by certificates signed with this CA.
  5. Set firewall to allow tcp connections from machine B to machine A on incoming port 2223.

Advantages are:

  • On internet is exposed only machine B with tomcat/webconsole. If some attacks it, there is less chance, they will get to ERA database, where are all data are stored.
  • Machine A still exposes to internet only port 2222, where agents connect.
  • You do not have to backup machine A when setting this up. All of the setup is performed on machine B.
Edited by Timos
Link to comment
Share on other sites

  • ESET Staff

ERA itself has 2FA integrated by the means of ESET Secure Authentication. You can enable it in users settings.

What you will need is to install ESET secure authentication app from the respective app-store on your device.

 

 

post-35-0-26976300-1471450048_thumb.png

Link to comment
Share on other sites

  • ESET Staff

In case you are interested in even more secure connection, you could also try to configure Apache Tomcat to require client SSL/TLS authentication when accessed from insecure network - your browser will mostly handle this for you in case proper certificate will be available on computer but configuration of tomcat requires more advanced skills and this scenario is not documented nor tested by ESET. It's biggest advantage is that not even ERA login screen will be exposed to untrusted clients.

 

There is also possibility to tweak SSL/TLS parameters so that only the most secure crypto-algorithms are used -> we are not able to do this by default as it would significantly reduce list of supported browsers and operating systems.

Link to comment
Share on other sites

Thanks Martin. I've enforced SSL/TLS by only forwarding a specific port (not 443) to the ERA VM. But yes, adding restrictions for SSLv3/SSLv2 etc would be a good idea. I'll see what I can google :-)

 

 

Jim

 

EDIT actually it looks like it'll only accept TLS anyway:

 

....sslProtocol="TLS" keystoreFile="C:\Program Files (x86)\Apa...

 

 

but that can be further enhanced:

 

....sslProtocol="TLSv1.2" keystoreFile="C:\Program Files (x86)\Apa...

Edited by jimwillsher
Link to comment
Share on other sites

  • ESET Staff
but that can be further enhanced:

 

....sslProtocol="TLSv1.2" keystoreFile="C:\Program Files (x86)\Apa...

 

Depending on your ERA version, there should be also parameter "ciphers=" listing supported crypto-algorithms which may be also reduced to most secure ones, but make sure all computers/browsers you use will be capable to connect using reduced list.

Link to comment
Share on other sites

I'm on the latest (6.4.x) which uses Tomcat 7.0.xx, and I'll only ever connect from my laptop :-) I have access to PRTG, which can check for poor security algorithms, so I'll get that configured.

 

EDIT You're right, the setting I added still allows TLS 1.0 and 1.1. THis is what I have settled on:

 

<Connector server="OtherWebServer" port="xxxxx" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" SSLProtocol="TLS" sslEnabledProtocols="TLSv1.2" keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\xxxx.keystore" keystorePass="xxxxx" keyAlias="tomcat"/>
 
 
 
post-559-0-48083300-1471546501_thumb.jpg
Edited by jimwillsher
Link to comment
Share on other sites

My attempts to upgrade Tomcat to the latest version failed miserably :-)

 

I renamed the C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0 folder, copied the folder structure for 7.0.70 to replace the original structure, copied the ERwebapps folder and copied the keystore. But no cigar, I can't connect (the service does start okay).

 

Have I missed anything obvious?

 

I'm not overly concerned, and I know you're not here to support Tomcat :-) But I'm conscious that I will fall further and further behind with each new ERA release, compared to people who clean-install the next ERA release.

 

 

Jim

Link to comment
Share on other sites

  • ESET Staff

I do not want to guess as wrong steps during Apache Tomcat installation or upgrade may result in ERA components upgrade task to stop upgrading Webconsole as for Windows SERVER it will work only for tomcat installed by ERA all-in-one installer.

We can only hope that Timos will be able to describe steps that has to be taken to either upgrade, or reinstall Apache Tomcat with newer version.

Link to comment
Share on other sites

  • Former ESET Employees

I recommend this: 

 

Short version:

  1. Backup your tomcat installation or whole machine
  2. Uninstall tomcat/webconsole
  3. Install tomcat/webconsole using Setup.exe
  4. Apply again your custom changes you did in tomcat earlier (SSL cert, ...)

Long version:

  1. Use Setup.exe (according version to server, 6.4 in your case) to uninstall webconsole/tomcat. Tomcat uninstaller will ask you if you want to delete webapps directory, accept it.
  2. Run Setup.exe again
  3. Setup.exe now lets you to install webconsole/tomcat only.
  4. Tomcat is now hardened by Setup.exe: selfsigned ssl cert, sslProtocol, ...
  5. Tomcat is up and running now. Try to login into webconsole, it should work.
  6. You have to apply your custom changes, your custom ssl cert. You know better what was your changes.

If you did not applied custom changes to tomcat/webconsole, you can skip step 6, and it is easy

I use this quite a lot when testing ERA, you shouldn't get in any big troubles.

Link to comment
Share on other sites

Brilliant, thanks Timos. I've followed the steps, reinstalled my wildcard, and I'm up and running on 7.0.70.

 

This is how everything has ended up:

 

ESET Remote Administrator (Server), Version 6.4.295.0
ESET Remote Administrator (Web Console), Version 6.4.266.0
 
Does that look okay to you, insofar as I shouldn't expect any problems whenever 6.5 comes out?
 
Thanks again
 
 
 
Jim
Link to comment
Share on other sites

I do not want to guess as wrong steps during Apache Tomcat installation or upgrade may result in ERA components upgrade task to stop upgrading Webconsole as for Windows SERVER it will work only for tomcat installed by ERA all-in-one installer.

We can only hope that Timos will be able to describe steps that has to be taken to either upgrade, or reinstall Apache Tomcat with newer version.

 

Don't you support these updates via latest webmin in 6.4?

Link to comment
Share on other sites

  • ESET Staff

 

I do not want to guess as wrong steps during Apache Tomcat installation or upgrade may result in ERA components upgrade task to stop upgrading Webconsole as for Windows SERVER it will work only for tomcat installed by ERA all-in-one installer.

We can only hope that Timos will be able to describe steps that has to be taken to either upgrade, or reinstall Apache Tomcat with newer version.

 

Don't you support these updates via latest webmin in 6.4?

 

 

Yes, there should be no problem on Linux/ERA Appliance in case standard package is used for Apache Tomcat upgrade (=operating system update). Even older appliances used official tomcat version supported by CentOS.

Only on Windows we expect specific tomcat registry keys to be present and changes or custom installation steps could possibly break this detection (for example manual installation could be completely missing registry keys).

Link to comment
Share on other sites

If you are worried about exposing it to the world, have you considered accessing it through a VPN setup?  Most organizations have some type of remote access configured, and if not, OpenVPN is rather simple to deploy and secure.

Link to comment
Share on other sites

  • Former ESET Employees
  • Solution

 

Brilliant, thanks Timos. I've followed the steps, reinstalled my wildcard, and I'm up and running on 7.0.70.

 

This is how everything has ended up:

 

ESET Remote Administrator (Server), Version 6.4.295.0

ESET Remote Administrator (Web Console), Version 6.4.266.0

 
Does that look okay to you, insofar as I shouldn't expect any problems whenever 6.5 comes out?
 
Thanks again
 
 
 
Jim

 

There should be no problems when 6.5 comes out.

These versions are compatible. You can check it also in future versions: hxxp://support.eset.com/kb3690/

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...