jimwillsher 65 Posted August 17, 2016 Share Posted August 17, 2016 Hi I'm looking for advice please.I currently have ERA 6.4 deployed on a Hyper-V VM, and I have installed a commercial wildcard certificate. I access ERA internally via https://av.mydomain.comon port 443. As I travel a lot, I'd like to have easier access to ERA to monitor things, so I am considering changing the port from 443 and opening the port on our firewall. Would I be crazy to do this? I know that Tomcat has generally had a good track record on security and CVEs etc. I note that ERA ships with 7.0.55 of Tomcat and 7.0.70 seems to be the latest version. Should I consider upgrading to 7.0.70? Is there an ESET-approved or ESET-documented way to do this? Or should I remain at 7.0.55? All thoughts/suggestions welcome. Many thanks Jim Link to comment Share on other sites More sharing options...
Former ESET Employees Timos 8 Posted August 17, 2016 Former ESET Employees Share Posted August 17, 2016 (edited) Releases of ERA always contains newest Tomcat 7, but upgrade task applies only to webconsole, not to Tomcat. Your 7.0.55 is from your first installation. For more security I recommend to use another machine which will serve only webconsole: You have installed ERA Server on machine A. Install webconsole+tomcat on some machine B with all-in-one installer. (Possible if you run Setup.exe from commandline with parameters: Setup.exe --mode webconsole). Before install, you can substitute tomcat installer with newer version of Tomcat 7. You must use all-in-installer with same version as the server is, because webconsole and server wouldn't work together. Set up tomcat to your needs (you mentioned ssl cert). Set up webconsole to connect to ERA Server on machine A. It is possible by configuration file located in C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\webapps\era\WEB-INF\classes\sk\eset\era\g2webconsole\server\modules\config\EraWebServerConfig.properties (default: localhost 2223). For more security, you can set here public key of ERA Cert Authority which signed server certificate. Webconsole would then connect only to servers, which authenticates by certificates signed with this CA. Set firewall to allow tcp connections from machine B to machine A on incoming port 2223. Advantages are: On internet is exposed only machine B with tomcat/webconsole. If some attacks it, there is less chance, they will get to ERA database, where are all data are stored. Machine A still exposes to internet only port 2222, where agents connect. You do not have to backup machine A when setting this up. All of the setup is performed on machine B. Edited August 17, 2016 by Timos Link to comment Share on other sites More sharing options...
jimwillsher 65 Posted August 17, 2016 Author Share Posted August 17, 2016 Thank you Tomas, I will give this a go :-) Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 434 Posted August 17, 2016 ESET Staff Share Posted August 17, 2016 On top of that, in case of ERA webconsole being accessible publicly, I would recommend a strong password + enabled 2FA for login. Link to comment Share on other sites More sharing options...
jimwillsher 65 Posted August 17, 2016 Author Share Posted August 17, 2016 Thanks Tomas. Any suggestions for implementing 2FA? We use Duo.com for other 2FA requirements but I don't think they support Tomcat. Jim Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 434 Posted August 17, 2016 ESET Staff Share Posted August 17, 2016 ERA itself has 2FA integrated by the means of ESET Secure Authentication. You can enable it in users settings. What you will need is to install ESET secure authentication app from the respective app-store on your device. Link to comment Share on other sites More sharing options...
jimwillsher 65 Posted August 17, 2016 Author Share Posted August 17, 2016 I like days when I learn something cool :-) All set up and working nicely Thanks MichalJ Link to comment Share on other sites More sharing options...
ESET Staff MartinK 378 Posted August 18, 2016 ESET Staff Share Posted August 18, 2016 In case you are interested in even more secure connection, you could also try to configure Apache Tomcat to require client SSL/TLS authentication when accessed from insecure network - your browser will mostly handle this for you in case proper certificate will be available on computer but configuration of tomcat requires more advanced skills and this scenario is not documented nor tested by ESET. It's biggest advantage is that not even ERA login screen will be exposed to untrusted clients. There is also possibility to tweak SSL/TLS parameters so that only the most secure crypto-algorithms are used -> we are not able to do this by default as it would significantly reduce list of supported browsers and operating systems. Link to comment Share on other sites More sharing options...
jimwillsher 65 Posted August 18, 2016 Author Share Posted August 18, 2016 (edited) Thanks Martin. I've enforced SSL/TLS by only forwarding a specific port (not 443) to the ERA VM. But yes, adding restrictions for SSLv3/SSLv2 etc would be a good idea. I'll see what I can google :-) Jim EDIT actually it looks like it'll only accept TLS anyway: ....sslProtocol="TLS" keystoreFile="C:\Program Files (x86)\Apa... but that can be further enhanced: ....sslProtocol="TLSv1.2" keystoreFile="C:\Program Files (x86)\Apa... Edited August 18, 2016 by jimwillsher Link to comment Share on other sites More sharing options...
ESET Staff MartinK 378 Posted August 18, 2016 ESET Staff Share Posted August 18, 2016 but that can be further enhanced: ....sslProtocol="TLSv1.2" keystoreFile="C:\Program Files (x86)\Apa... Depending on your ERA version, there should be also parameter "ciphers=" listing supported crypto-algorithms which may be also reduced to most secure ones, but make sure all computers/browsers you use will be capable to connect using reduced list. Link to comment Share on other sites More sharing options...
jimwillsher 65 Posted August 18, 2016 Author Share Posted August 18, 2016 (edited) I'm on the latest (6.4.x) which uses Tomcat 7.0.xx, and I'll only ever connect from my laptop :-) I have access to PRTG, which can check for poor security algorithms, so I'll get that configured. EDIT You're right, the setting I added still allows TLS 1.0 and 1.1. THis is what I have settled on: <Connector server="OtherWebServer" port="xxxxx" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" SSLProtocol="TLS" sslEnabledProtocols="TLSv1.2" keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\xxxx.keystore" keystorePass="xxxxx" keyAlias="tomcat"/> Edited August 18, 2016 by jimwillsher Link to comment Share on other sites More sharing options...
jimwillsher 65 Posted August 18, 2016 Author Share Posted August 18, 2016 My attempts to upgrade Tomcat to the latest version failed miserably :-) I renamed the C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0 folder, copied the folder structure for 7.0.70 to replace the original structure, copied the ERwebapps folder and copied the keystore. But no cigar, I can't connect (the service does start okay). Have I missed anything obvious? I'm not overly concerned, and I know you're not here to support Tomcat :-) But I'm conscious that I will fall further and further behind with each new ERA release, compared to people who clean-install the next ERA release. Jim Link to comment Share on other sites More sharing options...
ESET Staff MartinK 378 Posted August 18, 2016 ESET Staff Share Posted August 18, 2016 I do not want to guess as wrong steps during Apache Tomcat installation or upgrade may result in ERA components upgrade task to stop upgrading Webconsole as for Windows SERVER it will work only for tomcat installed by ERA all-in-one installer. We can only hope that Timos will be able to describe steps that has to be taken to either upgrade, or reinstall Apache Tomcat with newer version. Link to comment Share on other sites More sharing options...
Former ESET Employees Timos 8 Posted August 19, 2016 Former ESET Employees Share Posted August 19, 2016 I recommend this: Short version: Backup your tomcat installation or whole machine Uninstall tomcat/webconsole Install tomcat/webconsole using Setup.exe Apply again your custom changes you did in tomcat earlier (SSL cert, ...) Long version: Use Setup.exe (according version to server, 6.4 in your case) to uninstall webconsole/tomcat. Tomcat uninstaller will ask you if you want to delete webapps directory, accept it. Run Setup.exe again Setup.exe now lets you to install webconsole/tomcat only. Tomcat is now hardened by Setup.exe: selfsigned ssl cert, sslProtocol, ... Tomcat is up and running now. Try to login into webconsole, it should work. You have to apply your custom changes, your custom ssl cert. You know better what was your changes. If you did not applied custom changes to tomcat/webconsole, you can skip step 6, and it is easy I use this quite a lot when testing ERA, you shouldn't get in any big troubles. Link to comment Share on other sites More sharing options...
jimwillsher 65 Posted August 19, 2016 Author Share Posted August 19, 2016 Brilliant, thanks Timos. I've followed the steps, reinstalled my wildcard, and I'm up and running on 7.0.70. This is how everything has ended up: ESET Remote Administrator (Server), Version 6.4.295.0ESET Remote Administrator (Web Console), Version 6.4.266.0 Does that look okay to you, insofar as I shouldn't expect any problems whenever 6.5 comes out? Thanks again Jim Link to comment Share on other sites More sharing options...
bbahes 29 Posted August 19, 2016 Share Posted August 19, 2016 I do not want to guess as wrong steps during Apache Tomcat installation or upgrade may result in ERA components upgrade task to stop upgrading Webconsole as for Windows SERVER it will work only for tomcat installed by ERA all-in-one installer. We can only hope that Timos will be able to describe steps that has to be taken to either upgrade, or reinstall Apache Tomcat with newer version. Don't you support these updates via latest webmin in 6.4? Link to comment Share on other sites More sharing options...
ESET Staff MartinK 378 Posted August 19, 2016 ESET Staff Share Posted August 19, 2016 I do not want to guess as wrong steps during Apache Tomcat installation or upgrade may result in ERA components upgrade task to stop upgrading Webconsole as for Windows SERVER it will work only for tomcat installed by ERA all-in-one installer. We can only hope that Timos will be able to describe steps that has to be taken to either upgrade, or reinstall Apache Tomcat with newer version. Don't you support these updates via latest webmin in 6.4? Yes, there should be no problem on Linux/ERA Appliance in case standard package is used for Apache Tomcat upgrade (=operating system update). Even older appliances used official tomcat version supported by CentOS. Only on Windows we expect specific tomcat registry keys to be present and changes or custom installation steps could possibly break this detection (for example manual installation could be completely missing registry keys). Link to comment Share on other sites More sharing options...
kingoftheworld 10 Posted August 19, 2016 Share Posted August 19, 2016 If you are worried about exposing it to the world, have you considered accessing it through a VPN setup? Most organizations have some type of remote access configured, and if not, OpenVPN is rather simple to deploy and secure. Link to comment Share on other sites More sharing options...
jimwillsher 65 Posted August 19, 2016 Author Share Posted August 19, 2016 Thanks. I do have a VPN, and I also have a TS, so I have some options. Link to comment Share on other sites More sharing options...
Former ESET Employees Solution Timos 8 Posted August 22, 2016 Former ESET Employees Solution Share Posted August 22, 2016 Brilliant, thanks Timos. I've followed the steps, reinstalled my wildcard, and I'm up and running on 7.0.70. This is how everything has ended up: ESET Remote Administrator (Server), Version 6.4.295.0ESET Remote Administrator (Web Console), Version 6.4.266.0 Does that look okay to you, insofar as I shouldn't expect any problems whenever 6.5 comes out? Thanks again Jim There should be no problems when 6.5 comes out. These versions are compatible. You can check it also in future versions: hxxp://support.eset.com/kb3690/ Link to comment Share on other sites More sharing options...
Recommended Posts