September 21, 2021

ESET gateway on Debian/Ubuntu

This is on a Debian Jessie x64 Intel box. Here’s a diagram of what you’re basically trying to do:

eset gateway diagram

In the examples I use example paths, usernames, and values in places, change them to what you actually have or it won’t work. For example, I’m using the 172.16.50.0/24 and 172.16.123.0/24 networks. You have roughly 100% change of that not being what your’e using, so you have to change those numbers in all places in the howto.I show this as root, however you get there. If you use Debian Wheezy or one of the Ubuntu variants, you might have to change little stuff, but it should work without doing much modification. First you download and install the .deb package (I just used winscp to transfer it after I clicked the email link to download it to a windows box) like:

su
apt-get install ed libc6-i386
cd /home/whateveruseryouare/Downloads/
sh ./esets.amd64.deb.bin
(accept agreement)

Now you have to edit the main config file and add the av update username and password you got with your order. NOTE: DON’T delete the leading #’s at the beginning of these lines, they’re not really used like commented lines like normal, well some are, but the ones you want to change still need the pound sign for some reason.

vi /etc/opt/esets/esets.cfg
  #av_update_username = "EAV-xxxxxxx" <- put the real one in the quotes
  #av_update_password = "xxxxxxxxx" <- put the real one in the quotes

Now import your license like:

/opt/eset/esets/sbin/esets_lic --import /home/whateveruseryouare/Downloads/nod32.lic

Now start esets_daemon like:

/etc/init.d/esets start

If you get an error like:

>: /etc/init.d/esets restart
[....] Restarting ESET Security: esets_daemonerror[21d00000]: Cannot initialize scanner: License not found
 failed!

your import didn’t work.

Now check to see if it’s running now like:

ps -A | grep esets
  8755 ?        00:00:00 esets_daemon
  8757 ?        00:00:00 esets_daemon

If you don’t see anything, it’s not running.

Now you have to set up routing.

Now you have to configure the gateway itself, specifically which interface/IP/subnet it listens for your clients on, and enabling the gateway itself. You can run the setup script, but it throws errors. However, it does change the options you want in the config file. Either that or you can just edit the file itself and change the lines you want. It’s kind of nice to run the setup script and at least you can cut/paste the output into the esets.cfg file and have an idea of what you should be editing in that file. Also, the end of the script tries to implement a firewall (NAT) rule, which also fails. You run the setup script by doing:

/opt/eset/esets/sbin/esets_setup

Now you have to define what interface the system will listen on:

Available ESETS installations/uninstallations:
1) HTTP
2) FTP
3) ICAP
4) quit
Your selection (1-4): 1
Select local network interface:
1) eth0 (172.16.50.50): eth0 172.16.50.50
2) eth1 (172.16.123.1): eth1 172.16.123.1
3) quit
Your selection (1-3): 2
Select HTTP install/uninstall:
1) Transparent HTTP protocol scan install using esets_http: /opt/eset/esets/sbin/esets_set --section http 'agent_enabled = yes' && /opt/eset/esets/sbin/esets_set --section http 'listen_addr = 172.16.123.1' && /opt/eset/esets/sbin/esets_set --section http 'listen_port = 8080' && /etc/init.d/esets restart && echo "Add this firewall rule at the correct place and ensure it gets loaded on reboot: iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT --to-ports 8080"
2) quit
Your selection (1-2): 1
[ ok ] Restarting ESET Security: esets_daemon.
Add this firewall rule at the correct place and ensure it gets loaded on reboot: iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT --to-ports 8080
Available ESETS installations/uninstallations:
1) HTTP
2) FTP
3) ICAP
4) quit
Your selection (1-4): 4

To see if it’s running, and listening on the right ports do:

netstat -plunt | grep eset
tcp        0      0 172.16.123.1:8080     0.0.0.0:*               LISTEN      6150/esets_http

If you don’t see something like that, try manually restarting it like:

/etc/init.d/esets restart
[ ok ] Restarting ESET Security: esets_daemon.

Now you have to enable IP forwarding like:

echo 1 > /proc/sys/net/ipv4/ip_forward
vi /etc/sysctl.conf
  net.ipv4.ip_forward=1 (uncomment)

Okay, now go to a laptop that’s on the 172.16.123.0/24 somewhere and see if you can get to the Internet by opening up a browser and going to a NON-SSL webpage that you haven’t visited recently (so it won’t be cached). If you can, it’s working. If not, fix it before proceeding, because your traffic is busted, and not routing through the your new gateway.

Okay, so now I’m assuming you want the rest of the non-port-80 traffic to just go out to the Internet, IF THIS IS THE CASE, go back to your gateway server and just add:

iptables -t nat -A POSTROUTING -s 172.16.123.0/24 -o eth0 -j MASQUERADE

Now check your firewall rules and see if they are sane, they should look something like:

iptables -L -vt nat
  Chain PREROUTING (policy ACCEPT 7 packets, 595 bytes)
   pkts bytes target   prot opt in    out  source    destination         
    2   120 REDIRECT   tcp  --  eth1  any  anywhere  anywhere    tcp dpt:http redir ports 8080        
...
  Chain POSTROUTING (policy ACCEPT 16 packets, 1107 bytes)
   pkts bytes target     prot opt in   out   source             destination         
    3   211 MASQUERADE  all  --  any  eth0   172.16.123.0/24    anywhere

If those two lines (at least) aren’t in there, stop and fix it. If they are, save them so they come up after reboot like:

iptables-save > /etc/iptables.up.rules
vi /etc/network/if-up.d/iptables
  #!/bin/sh
  iptables-restore < /etc/iptables.up.rules

Now we update to the latest malware definitions:

/opt/eset/esets/sbin/esets_update -u EAV-xxxxxx -p xxxxxxx
  Virus signature database has been updated successfully.
  Installed virus signature database version 10xxxx (xxxxxx)

Gotcha’s

>: /etc/init.d/esets restart
[....] Restarting ESET Security: esets_daemonerror[21d00000]: Cannot initialize scanner: License not found
 failed!

This means you didn’t import the license right.