ESET gateway on Debian/Ubuntu
This is on a Debian Jessie x64 Intel box. Here’s a diagram of what you’re basically trying to do:
In the examples I use example paths, usernames, and values in places, change them to what you actually have or it won’t work. For example, I’m using the 172.16.50.0/24 and 172.16.123.0/24 networks. You have roughly 100% change of that not being what your’e using, so you have to change those numbers in all places in the howto.I show this as root, however you get there. If you use Debian Wheezy or one of the Ubuntu variants, you might have to change little stuff, but it should work without doing much modification. First you download and install the .deb package (I just used winscp to transfer it after I clicked the email link to download it to a windows box) like:
su apt-get install ed libc6-i386 cd /home/whateveruseryouare/Downloads/ sh ./esets.amd64.deb.bin (accept agreement) |
Now you have to edit the main config file and add the av update username and password you got with your order. NOTE: DON’T delete the leading #’s at the beginning of these lines, they’re not really used like commented lines like normal, well some are, but the ones you want to change still need the pound sign for some reason.
vi /etc/opt/esets/esets.cfg #av_update_username = "EAV-xxxxxxx" <- put the real one in the quotes #av_update_password = "xxxxxxxxx" <- put the real one in the quotes |
Now import your license like:
/opt/eset/esets/sbin/esets_lic --import /home/whateveruseryouare/Downloads/nod32.lic |
Now start esets_daemon like:
/etc/init.d/esets start |
If you get an error like:
>: /etc/init.d/esets restart [....] Restarting ESET Security: esets_daemonerror[21d00000]: Cannot initialize scanner: License not found failed! |
your import didn’t work.
Now check to see if it’s running now like:
ps -A | grep esets 8755 ? 00:00:00 esets_daemon 8757 ? 00:00:00 esets_daemon |
If you don’t see anything, it’s not running.
Now you have to set up routing.
Now you have to configure the gateway itself, specifically which interface/IP/subnet it listens for your clients on, and enabling the gateway itself. You can run the setup script, but it throws errors. However, it does change the options you want in the config file. Either that or you can just edit the file itself and change the lines you want. It’s kind of nice to run the setup script and at least you can cut/paste the output into the esets.cfg file and have an idea of what you should be editing in that file. Also, the end of the script tries to implement a firewall (NAT) rule, which also fails. You run the setup script by doing:
/opt/eset/esets/sbin/esets_setup |
Now you have to define what interface the system will listen on:
Available ESETS installations/uninstallations: 1) HTTP 2) FTP 3) ICAP 4) quit Your selection (1-4): 1 Select local network interface: 1) eth0 (172.16.50.50): eth0 172.16.50.50 2) eth1 (172.16.123.1): eth1 172.16.123.1 3) quit Your selection (1-3): 2 Select HTTP install/uninstall: 1) Transparent HTTP protocol scan install using esets_http: /opt/eset/esets/sbin/esets_set --section http 'agent_enabled = yes' && /opt/eset/esets/sbin/esets_set --section http 'listen_addr = 172.16.123.1' && /opt/eset/esets/sbin/esets_set --section http 'listen_port = 8080' && /etc/init.d/esets restart && echo "Add this firewall rule at the correct place and ensure it gets loaded on reboot: iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT --to-ports 8080" 2) quit Your selection (1-2): 1 [ ok ] Restarting ESET Security: esets_daemon. Add this firewall rule at the correct place and ensure it gets loaded on reboot: iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT --to-ports 8080 Available ESETS installations/uninstallations: 1) HTTP 2) FTP 3) ICAP 4) quit Your selection (1-4): 4 |
To see if it’s running, and listening on the right ports do:
netstat -plunt | grep eset tcp 0 0 172.16.123.1:8080 0.0.0.0:* LISTEN 6150/esets_http |
If you don’t see something like that, try manually restarting it like:
/etc/init.d/esets restart [ ok ] Restarting ESET Security: esets_daemon. |
Now you have to enable IP forwarding like:
echo 1 > /proc/sys/net/ipv4/ip_forward vi /etc/sysctl.conf net.ipv4.ip_forward=1 (uncomment) |
Okay, now go to a laptop that’s on the 172.16.123.0/24 somewhere and see if you can get to the Internet by opening up a browser and going to a NON-SSL webpage that you haven’t visited recently (so it won’t be cached). If you can, it’s working. If not, fix it before proceeding, because your traffic is busted, and not routing through the your new gateway.
Okay, so now I’m assuming you want the rest of the non-port-80 traffic to just go out to the Internet, IF THIS IS THE CASE, go back to your gateway server and just add:
iptables -t nat -A POSTROUTING -s 172.16.123.0/24 -o eth0 -j MASQUERADE |
Now check your firewall rules and see if they are sane, they should look something like:
iptables -L -vt nat Chain PREROUTING (policy ACCEPT 7 packets, 595 bytes) pkts bytes target prot opt in out source destination 2 120 REDIRECT tcp -- eth1 any anywhere anywhere tcp dpt:http redir ports 8080 ... Chain POSTROUTING (policy ACCEPT 16 packets, 1107 bytes) pkts bytes target prot opt in out source destination 3 211 MASQUERADE all -- any eth0 172.16.123.0/24 anywhere |
If those two lines (at least) aren’t in there, stop and fix it. If they are, save them so they come up after reboot like:
iptables-save > /etc/iptables.up.rules vi /etc/network/if-up.d/iptables #!/bin/sh iptables-restore < /etc/iptables.up.rules |
Now we update to the latest malware definitions:
/opt/eset/esets/sbin/esets_update -u EAV-xxxxxx -p xxxxxxx Virus signature database has been updated successfully. Installed virus signature database version 10xxxx (xxxxxx) |
Gotcha’s
>: /etc/init.d/esets restart [....] Restarting ESET Security: esets_daemonerror[21d00000]: Cannot initialize scanner: License not found failed! |
This means you didn’t import the license right.