ESET gateway with Squid3 proxy and ICAP
You can set up ESET gateway either as a standalone server, or as a scanner that hangs off a Squid proxy like this:
Proxies allow you to cache content so you don’t have to reload it twice, make it seem like you’re coming from somewhere else, create content scanners against things like viruses so you don’t get infected, and other stuff. They’ll speed up your Internet with the cached content so it might seem faster if you go to the same page frequently.
In this case, we’re tying in an ESET gateway scanner to a Squid3 proxy using ICAP, so you can do other proxy stuff, but also scan for malware. In the examples I use example paths, usernames, and values in places, change them to what you actually have or it won’t work. For example, I’m using the 172.16.50.0/24 and 172.16.123.0/24 networks. You have roughly 100% change of that not being what you’re using, so you have to change those numbers in all places in the howto. I show this as root, however you get there. This howto is using Debian Jessie, so if you use Debian Wheezy or one of the Ubuntu variants, you might have to change little stuff, but it should work without doing much modification. First you download and install the .deb package (I just used winscp to transfer it after I clicked the email link to download it to a windows box) like:
su apt-get install ed libc6-i386 cd /home/whateveruseryouare/Downloads/ sh ./esets.amd64.deb.bin (accept agreement) |
Now you have to edit the main config file and add the av update username and password you got with your order. NOTE: DON’T delete the leading #’s at the beginning of these lines, they’re not really used like commented lines like normal, well some are, but the ones you want to change still need the pound sign for some reason.
vi /etc/opt/esets/esets.cfg #av_update_username = "EAV-xxxxxxx" <- put the real one in the quotes #av_update_password = "xxxxxxxxx" <- put the real one in the quotes |
Now import your license like:
/opt/eset/esets/sbin/esets_lic --import /home/whateveruseryouare/Downloads/nod32.lic |
Now start esets_daemon like:
/etc/init.d/esets start |
If you get an error like:
>: /etc/init.d/esets restart [....] Restarting ESET Security: esets_daemonerror[21d00000]: Cannot initialize scanner: License not found failed! |
your import didn’t work.
Now check to see if it’s running now like:
ps -A | grep esets 8755 ? 00:00:00 esets_daemon 8757 ? 00:00:00 esets_daemon |
If you don’t see anything, it’s not running. Stop and fix that before you continue.
Now you have to configure the gateway itself, specifically which interface/IP/subnet it listens for your laptops/clients on, and enabling the gateway itself. You can run the setup script, by doing:
/opt/eset/esets/sbin/esets_setup |
Now you have to define what interface the system will listen on. We pick the second network, because it’s where all your downstream laptops live:
Available ESETS installations/uninstallations: 1) HTTP 2) FTP 3) ICAP 4) quit Your selection (1-4): 3 Select local network interface: 1) eth0 (172.16.50.50): eth0 172.16.50.50 2) eth1 (172.16.123.1): eth1 172.16.123.1 3) quit Your selection (1-3): 2 <-- pick the one where all your LAPTOPS are on Select ICAP install/uninstall: 1) ICAP server install: tar cf $HOME/esets_backup-20150824-095611.tar -C / 'etc/opt/eset/esets/esets.cfg' && /opt/eset/esets/sbin/esets_set --section icap 'agent_enabled = yes' && /opt/eset/esets/sbin/esets_set --section icap 'listen_addr = 172.16.123.1' && /etc/init.d/esets restart 2) quit Your selection (1-2): 1 [ ok ] Restarting ESET Security: esets_daemon. Available ESETS installations/uninstallations: 1) HTTP 2) FTP 3) ICAP 4) quit Your selection (1-4): 4 |
To see if it’s running, and listening on the right ports do:
netstat -plunt | grep eset tcp 0 0 172.16.123.200:1344 0.0.0.0:* LISTEN 25047/esets_icap |
If you don’t see something like that, try manually restarting it like:
/etc/init.d/esets restart [ ok ] Restarting ESET Security: esets_daemon. |
Now you have to enable IP forwarding like:
echo 1 > /proc/sys/net/ipv4/ip_forward vi /etc/sysctl.conf net.ipv4.ip_forward=1 (uncomment) |
Now we set up Squid3 proxy with C-ICAP to send traffic to our ESET gateway we got running.
Squid3 / C-ICAP proxy setup
apt-get install squid3 c-icap |
First we set up Squid3 basic stuff, like what networks to listen to, and how to send stuff to C-ICAP so it can go ask the ESET gateway if it’s malicious.
cp /etc/squid3/squid.conf /etc/squid3/squid.conf.orig vi /etc/squid3/squid.conf acl localnet src 172.16.123.0/24 <- uncomment this, and change to match yours http_access allow localnet <- uncomment http_port 172.16.123.1:3128 <--- set the port/IP to what you want, 3128 is default |
You might want to uncomment other features, but for now restart squid and see if it’s running:
ps -e | grep squid3 6549 ? 00:00:00 squid3 6552 ? 00:00:00 squid3 |
If you don’t see these running, stop and fix stuff before enabling icap. If you see these, continue to edit squid.conf to enable icap like:
vi /etc/squid3/squid.conf icap_enable on <-- uncomment and change to 'on' icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Client-Username <-- uncomment |
you’ll just have to add these next lines near the end of the icap section:
vi /etc/squid3/squid.conf icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/av_scan icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/av_scan adaptation_access service_req allow all adaptation_access service_resp allow all |
Okay, now we have to configure c-icap:
vi /etc/service/c-icap # Should c-icap daemon run automatically on startup? (default: no) START=yes <-- change to yes vi /etc/c-icap/c-icap.conf ServiceAlias av_scan esets_icap <-- add this line |
Now restart c-icap
/etc/init.d/c-icap restart [ ok ] Restarting c-icap (via systemctl): c-icap.service. |
Now restart squid3
/etc/init.d/squid restart [....] Restarting squid3 (via systemctl): squid3.service . ok |
Okay, now go to a laptop that’s on the 172.16.123.0/24 somewhere and see if you can get to the Internet by opening up a browser and going to a NON-SSL webpage that you haven’t visited recently (so it won’t be cached). If you can, it’s working. If not, fix it before proceeding, because your traffic is busted, and not routing through the your new gateway.
Okay, so now I’m assuming you want the rest of the non-port-80 traffic to just go out to the Internet, IF THIS IS THE CASE, go back to your gateway server and just add:
iptables -t nat -A POSTROUTING -s 172.16.123.0/24 -o eth0 -j MASQUERADE |
Now check your firewall rules and see if they are sane, they should look something like:
iptables -L -vt nat Chain PREROUTING (policy ACCEPT 7 packets, 595 bytes) pkts bytes target prot opt in out source destination 2 120 REDIRECT tcp -- eth1 any anywhere anywhere tcp dpt:http redir ports 3128 ... Chain POSTROUTING (policy ACCEPT 16 packets, 1107 bytes) pkts bytes target prot opt in out source destination 3 211 MASQUERADE all -- any eth0 172.16.123.0/24 anywhere |
If those two lines (at least) aren’t in there, stop and fix it. If they are, save them so they come up after reboot like:
iptables-save > /etc/iptables.up.rules vi /etc/network/if-up.d/iptables #!/bin/sh iptables-restore < /etc/iptables.up.rules |
Now we update to the latest malware definitions:
/opt/eset/esets/sbin/esets_update -u EAV-xxxxxx -p xxxxxxx Virus signature database has been updated successfully. Installed virus signature database version 10xxxx (xxxxxx) |