Install ESMC di Centos 7.x

Informasi Lain
by prosperita

Instalasi ESET Security Management Center – CentOS 7.x Tambahkan repo EPEL

yum install epel-release

Tambahkan repository MySQL 5.7

rpm -Uvh http://dev.mysql.com/get/mysql57-community-release-el7-7.noarch.rpm

#install MYSQL 5.7
# Disabled MySQL default AppStream repository
yum module reset mysql && sudo dnf module disable mysql

# Tambahkan repository MySQL 5.7
vi /etc/yum.repos.d/mysql-community.repo

#Tambahkan pada bagian bawah

[mysql57-community]
name=MySQL 5.7 Community Server
baseurl=http://repo.mysql.com/yum/mysql-5.7-community/el/7/$basearch/
enabled=1
gpgcheck=0

[mysql-connectors-community]
name=MySQL Connectors Community
baseurl=http://repo.mysql.com/yum/mysql-connectors-community/el/7/$basearch/
enabled=1
gpgcheck=0

[mysql-tools-community]
name=MySQL Tools Community
baseurl=http://repo.mysql.com/yum/mysql-tools-community/el/7/$basearch/
enabled=1
gpgcheck=0

Update OS

yum update

Install Dependencies CentOS 7.x

yum install -y wget lshw mysql-community-server mysql-connector-odbc xorg-x11-server-Xvfb cifs-utils krb5-workstation samba samba-winbind-clients openldap-clients net-snmp-utils net-snmp policycoreutils-devel java-1.8.0-openjdk tomcat qt4-webkit links yum-plugin-versionlock httpd setroubleshoot-server mod_ssl cyrus-sasl-gssapi cyrus-sasl-ldap

note : Pastikan untuk mysql install versi 5.7.

Edit Konfigurasi apache vi /etc/httpd/conf/httpd.conf Edit pada bagian listen Listen 3128 Ubah Konfigurasi di

httpd.conf

Dari IncludeOptional conf.d/*.conf Diubah menjadi caching proxy IncludeOptional conf.d/proxy.conf Buat konfigurasi baru untuk proxy

vi /etc/httpd/conf.d/proxy.conf

Masukkan Konfigurasi Berikut

##################################################################
############### Konfigurasi HTTP Proxy ESET ####################

#
# Enable HTTP Cache
#
CacheEnable disk http://
CacheDirLevels 4
CacheDirLength 2
CacheDefaultExpire 3600
CacheMaxFileSize 200000000
CacheMaxExpire 604800
CacheQuickHandler Off
CacheRoot /var/cache/httpd/proxy

AllowCONNECT 443 563 2222

#ProxyRemote * http://user_proxy:password_proxy@IPSERVERPROXY:3128

ProxyRequests On
ProxyVia On

CacheLock on
CacheLockMaxAge 10
ProxyTimeOut 900

SetEnv proxy-initial-not-pooled 1

ErrorLog "|/usr/sbin/rotatelogs -n 10 /var/log/httpd/error_log 1M"


ProxyRequests On



ServerName r.edtd.eset.com

<If "%{REQUEST_METHOD} == 'CONNECT'">
Require all denied


ProxyRequests Off
CacheEnable disk /
SSLProxyEngine On

RequestHeader set Front-End-Https "On"
ProxyPass / https://r.edtd.eset.com/ timeout=300 keepalive=On ttl=100 max=10 smax=10
ProxyPassReverse / http://r.edtd.eset.com/ keepalive=On



Deny from all

#*.eset.com:

Allow from all

#*.eset.eu:

Allow from all

#*.eset.systems:

Allow from all

#Antispam module (ESET Mail Security only):

Allow from all

#Services (activation)

Allow from all

#ESET servers accessed directly via IP address:

Allow from all


#Microsoft trusted roots distribution

Allow from all

#Microsoft pki (crt and crl)

Allow from all

# MS Network Connectivity Status Indicator https://technet.microsoft.com/en-us/library/cc766017(v=ws.10).aspx

Allow from all

#Symantec/thawte ocsp/crl

Allow from all

#Symantec ocsp

Allow from all


#Allow connection to my ESMC Server machine jika hostname dan IP
#
#Allow from all
#

#Allow connection to my ESMC Server machine jika FQDN atau hostname
#
#Allow from all
#

#Allow connection to my ESMC Server machine jika IP, dalam contoh adalah IP ESMC adalah 10.1.1.123
#
#Allow from all
#

################### End Of Configuration #########################
##################################################################

Add port 3128 di selinux apache semanage port -m -t http_port_t -p tcp 3128 Open Port Firewall(silakan skip jika tidak terinstall) firewall-cmd --zone=public --add-port=3128/tcp --permanent Set Cache Directory di Selinux (optional)

semanage fcontext -a -t httpd_cache_t "/var/cache/httpd(/.*)?"

Apply selinux directory (optional)

restorecon -Rv /var/cache/httpd

Set Agar Apache bisa konek ke Proxy internal

setsebool -P httpd_can_network_connect 1

atau

setsebool -P httpd_can_network_connect true

Buat service htcacheclean mkdir -p /etc/systemd/system/httpd.service.requires ln -s /usr/lib/systemd/system/htcacheclean.service /etc/systemd/system/httpd.service.requires Edit parameter htcacheclean vi /etc/sysconfig/htcacheclean Tambahkan parameter berikut INTERVAL=60 CACHE_ROOT=/var/cache/httpd/proxy LIMIT=5000M OPTIONS=-t -i -n L12000 Enable startup Apache

systemctl enable httpd

Restart apache service

systemctl restart httpd

Check yang telah di cache Apache Proxy

/usr/sbin/htcacheclean -a -p /var/cache/httpd/proxy/

Test proxy

wget www.google.com -e use_proxy=yes -e http_proxy=MyDearERAServer:3128

Jika Error -- http://www.google.com/ > 'index.html' Connecting to YourDearERAServer:3128... connected. Proxy request sent, awaiting response... 403 Forbidden 15:05:34 ERROR 403: Forbidden. Maka proxy telah jalan Downgrade ODBC ke versi 5.3.10

yum downgrade mysql-connector-odbc-5.3.10

Lock Mysql Component agar tidak upgrade

yum versionlock mysql-*

Start MySQL

systemctl start mysqld

Ambil random root password

grep 'A temporary password is generated for root@localhost' /var/log/mysqld.log |tail -1

Buat password MySQL dengan command mysql_secure_installation

# Edit Konfigurasi MySQL vi /etc/my.cnf

# Tambahkan di bawah [mysqld] konfigurasi berikut

#ESET Requirement
max_allowed_packet = 500M
innodb_log_file_size = 100M
innodb_log_files_in_group = 4

Restart MySQL dengan command systemctl restart mysqld

Set MySQL agar start saat OS Restart

systemctl enable mysqld

Download ERA war

wget https://download.eset.com/com/eset/apps/business/era/webconsole/latest/era.war

Copy file ESMC Console dengan command cp era.war /var/lib/tomcat/webapps/

Restart Service Tomcat dengan command systemctl restart tomcat

Set Tomcat agar start saat OS Restart systemctl enable tomcat

Download package server-linux, Agent-linux, RDSensor-Linux untuk link installer : https://www.eset.com/int/business/security-management-center/download/#standalone

#Download package ESMC pastikan sesuai berdasarkan OS.
wget https://download.eset.com/com/eset/apps/business/era/server/linux/latest/server-linux-x86_64.sh
wget https://download.eset.com/com/eset/apps/business/era/agent/latest/agent-linux-x86_64.sh
wget https://download.eset.com/com/eset/apps/business/era/mdm/latest/mdmcore-linux-x86_64.sh
wget https://download.eset.com/com/eset/apps/business/era/rdsensor/latest/rdsensor-linux-x86_64.sh

# Ubah permission installer agar bisa di install chmod +x server-linux-x86_64.sh agent-linux-x86_64.sh mdmcore-linux-x86_64.sh rdsensor-linux-x86_64.sh

NOTE : Package installer mdm untuk install ESET mobile. jika tidak di install untuk mobile bisa di skip bagian MDM.

# Install ESMC Server (sesuaikan dengan password mysql, password yang akan dipakai login ESMC)

./server-linux-x86_64.sh --skip-license --db-driver="MySQL ODBC 5.3 Unicode Driver" --db-hostname=127.0.0.1 --db-port=3306 --db-admin-username=root --db-admin-password=mysqlpassword --server-root-password="Passwordlogin" --db-user-username=root --db-user-password=mysqlpassword --cert-hostname="*" --enable-imp-program

# Coba Akses ESMC Webconsole
http://IP_ADDRES_ATAU_HOSTNAME:8080/era

# Backup Certificate
#https://help.eset.com/esmc_admin/70/en-US/export_a_public_key.html
#https://help.eset.com/esmc_admin/70/en-US/export_a_public_key.html?export_certificate.html

# Install Agent (sesuaikan dengan password login ESMC yang telah dibuat Sebelumnya)

./agent-linux-x86_64.sh --skip-license --hostname=localhost --port=2222 --webconsole-hostname=localhost --webconsole-port=2223 --webconsole-user=administrator --webconsole-password="passwordlogin" --cert-auto-confirm --enable-imp-program

Install RDSensor ./rdsensor-linux-x86_64.sh --skip-license

Open Port Firewall(silakan skip jika tidak terinstall)

firewall-cmd --zone=public --add-port=2222/tcp --permanent 
firewall-cmd --zone=public --add-port=2223/tcp --permanent
firewall-cmd --zone=public --add-port=8080/tcp --permanent
firewall-cmd --zone=public --add-port=139/tcp --permanent
firewall-cmd --zone=public --add-port=445/tcp --permanent
firewall-cmd --zone=public --add-port=137/udp --permanent
firewall-cmd --zone=public --add-port=138/udp --permanent
firewall-cmd --zone=public --add-port=1237/udp --permanent
firewall-cmd --zone=public --add-port=1238/udp --permanent

# Jika Spesifik

firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="8080" protocol="tcp" accept' --permanent
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="3128" protocol="tcp" accept' --permanent
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.2.0/24" port port="2222" protocol="tcp" accept' --permanent
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.2.0/24" port port="2223" protocol="tcp" accept' --permanent

Enable startup firewall systemctl enable firewalld

Install OPTIONAL Jika lisensi Minimal EEPS/EEPA

#Bahan yang diperlukan
#- export certificate agent dari ESMC
#- buat certificate mdm baru di ESMC lalu export dalam bentuk pfx

# Install MDM (pastikan mdm hostnamenya FQDN yang sifatnya public, untuk mysql password dan console password disamakan dengan ESMC yang telah dibuat sebelumnya)

./MDMCore-Linux-x86_64.sh --https-cert-path=PATH_Certificate_MDM_ESMC --port=2222 --db-type="MySQL" --db-driver="MySQL ODBC 5.3 Unicode Driver" --db-admin-username="root" --db-admin-password=PASSWORD_MYSQL --db-user-password=PASSWORD_MYSQL --db-hostname="127.0.0.1" --hostname=IP_ESMC --webconsole-password=PASSWORD_LOGIN_WEB_ESMC --cert-auto-confirm --mdm-hostname=FQDN_MDM --skip-license --enable-imp-program

Jika Upgrade dari versi sebelumnya

./MDMCore-Linux-x86_64.sh --hostname=IP_ESMC --webconsole-password=PASSWORD_LOGIN_WEB_ESMC --mdm-hostname=FQDN_MDM --https-cert-path=PATH_Certificate_MDM_ESMC --skip-license --enable-imp-program

Open Port Firewall(silakan skip jika tidak terinstall)

firewall-cmd --zone=public --add-port=9977/tcp --permanent
firewall-cmd --zone=public --add-port=9978/tcp --permanent
firewall-cmd --zone=public --add-port=9980/tcp --permanent
firewall-cmd --zone=public --add-port=9981/tcp --permanent
firewall-cmd --zone=public --add-port=9981/tcp --permanent
firewall-cmd --zone=public --add-port=5223/tcp --permanent
firewall-cmd --zone=public --add-port=2195/tcp --permanent
firewall-cmd --zone=public --add-port=2196/tcp --permanent

# Tes Mobile Device Connectorhttps://IP_ADDRESS_ATAU_HOSTNAME:9980/

#Info lebih lengkap
http://kb.eset.co.id
https://help.eset.com/esmc_install/70/en-US/
https://support.eset.com/