Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to customize the web UI port

EDR: How to customize the web UI port

Environment

  • EDR Console: All Versions
  • EDR Server: All Versions

Objective

To customize the port that the EDR web UI uses. 

Resolution

For customers who desire to use a custom WebUI cert, follow the directions here:  EDR: How to Implement Custom Web UI Certificates

Important: These steps should be performed on Primary and Minion nodes. Without this, users will be able to access the UI via port 443 if the Minion IP is entered
  1. Rename the nginx cb.conf file with mv to back it up:
    mv /etc/cb/nginx/conf.d/cb.conf /etc/cb/nginx/conf.d/cb.conf.default
  2. Copy and rename multi-home template configuration file:
    cp /etc/cb/nginx/conf.d/cb.multihome.conf.example /etc/cb/nginx/conf.d/cb.multihome.conf
  3. Backup the nginx http.conf file:
    cp /etc/cb/nginx/conf.d/http.conf /etc/cb/nginx/conf.d/http.conf.default
  4. Edit /etc/cb/nginx/conf.d/cb.multihome.conf.
    • Modify the line in blue under the WebUI section to the desired port (8443 is the common choice). Note: There are two port areas, the first one is for Sensors. Make sure to edit the end one per the example here.
    • On 7.5.0+ Only, comment out the cb.server.error line in red 
      server
      {
      # This server configuration is used for communications between the sensors
      # and the server.
      
      # IMPORTANT: If this configuration file is used, NginxSensor#### parameters in
      # /etc/cb/cb.conf MUST be updated to match this file.
      # Port 80 is defined in the http.conf. By default it redirects all trafic
      # to the https://$host$request_uri; If this behaviour needs to change update http.conf
      listen [::]:443 ssl ipv6only=off;
      
      include /etc/cb/nginx/conf.d/includes/cb.server.body;
      include /etc/cb/nginx/conf.d/includes/cb.server.sensor;
      
      # Include content of custom server configuration file
      include /etc/cb/nginx/conf.d/includes/cb.server.custom;
      }
      
      server
      {
      # This server configuration is used for VMware Carbon Black EDR Server's Web UI
      
      # IMPORTANT: If this configuration file is used, NginxWebApi#### parameters in
      # /etc/cb/cb.conf MUST be updated to match this file.
      # Port 80 is defined in the http.conf. By default it redirects all trafic
      # to the https://$host$request_uri; If this behaviour needs to change update http.conf
      listen [::]:8443 ssl ipv6only=off;
      
      include /var/cb/nginx/props/nginx.runtime.ssl_certificate.prop;
      include /var/cb/nginx/props/nginx.runtime.ssl_certificate_key.prop;
      
      include /etc/cb/nginx/conf.d/includes/cb.server.body;
      include /etc/cb/nginx/conf.d/includes/cb.server.api;
      #include /etc/cb/nginx/conf.d/includes/cb.server.error;
      
      # Include content of custom server configuration file
      include /etc/cb/nginx/conf.d/includes/cb.server.custom;
      }
  5. Edit /etc/cb/cb.conf:
       NginxWebApiHttpPort=443
    Change to...
       NginxWebApiHttpPort=8443
    
    And if minion port was also changed (recommended, see additional notes) 
       MinionApiPort=443 
    change to...
       MinionApiPort=8443
    
    
  6. Port 80 redirection is optional
    • To keep port 80 redirection when typing http://<servername>, open /etc/cb/nginx/conf.d/http.conf and edit this line
         return         301 https://$host$request_uri;
      Change to...
         return         301 https://$host:8443$request_uri;
    • To remove port 80 redirection, open /etc/cb/nginx/conf.d/http.conf and comment out this line
      #listen [::]80 ipv6only=off;
    • Note: You cannot forward from port 443 to 8443 due to sensors communicating over port 443
  7. Update Nginx to forward the custom port in the header for CSRF:
    • Open /etc/cb/nginx/conf.d/includes/headers.includes
    • Find the following line:
proxy_set_header       Host               $host;
  • Edit to:
proxy_set_header       Host               $host:$server_port;
  1. Update the firewall to include 8443
    • If using Iptables on CentOS 6
iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
service iptables save
service iptables reload
  • If using firewalld on CentOS 7
firewall-cmd --permanent --add-port=8443/tcp
firewall-cmd --reload
  1. Note: There should only be one cb*.conf file. Nginx will fail to start if there are two. Confirm there is only one ending in .conf by running: ls -lh /etc/cb/nginx/conf.d | grep 'cb\.'
    cb.conf.default
    cb.multihome.conf
  2. Restart the server services: EDR: How to restart server services
  3. Verify that the UI is accessible: https://<server>:8443

Additional Notes

  • Any available port can be used if the firewall and network allow it. Port 8443 is used here as an example.
  • It's recommended to follow the same instructions on the minions for clustered environments. Without this, the console will be accessible over 443 by minion IP and will not use the custom certificates. 
  • If using the cb event forwarder the cb_server_url value may need to be modified to add the port number in the /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file
  • For RHEL/CentOS 7, you can use the following cmds to check the firewall settings to see if anything is missing, like the 8443 config:
    • /usr/share/cb/cbcheck firewall -l  (Lists missing rules)
      /usr/share/cb/cbcheck firewall -a (Applies missing rules)

       

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎12-12-2018
Views:
5480
Contributors