Let's face it: Networks are dynamic environments, and it can be a daunting task to keep up with system, application, hardware, and OS changes. As a result, securing this environment is not a one-time deal but an ongoing task.
Although there's no single panacea for dealing with this dynamic security challenge, a variety of tools can help ensure that we know what systems are on our networks and can verify that those systems are secure. One must-have tool is a good network scanner, such as Nessus. Using a scanner can help you identify security problems before hackers do. In addition, data gathered from scanning can be used to justify business cases for security changes, additional security equipment such as firewalls, or additional resources such as personnel or training. You can also use Nessus to establish a baseline to tangibly show security improvements over time.
The word on Nessus
Nessus is a scanner that not only will tell you what systems are on your network and what ports are open, but it will also tell you about those systems' security vulnerabilities. And although scanners and outsourced scanning services can run in the thousands of dollars per IP address, Nessus is free. But don't let the price fool you. Nessus is a powerful resource, backed by a dedicated team, and it's constantly updated with new vulnerability signatures. In fact, the security checks database is updated on a daily basis. Nessus is also easy to install and use.
Nessus is modular, having two parts: a server and a client. The server, nessusd, runs on a UNIX-like system, such as Linux, and performs the actual scans. The client, nessus, can run on UNIX or Windows systems. This modular approach allows the server to support multiple clients running multiple scans at the same time. Clients securely log in to the server with usernames and passwords and can be limited to scan only certain hosts or network ranges.
The security tests are written as external plug-ins in a C-like script language called NASL (Nessus Attack Scripting Language), which is designed for easily writing additional custom scripts. You can also write your own scripts using C. As of this writing, the database includes 1,515 plug-ins that cover 1,020 Common Vulnerabilities and Exposures (CVEs) and 963 Bugtraq IDs.
What makes Nessus different from a common port scanner such as NMAP is that in addition to finding open ports, Nessus does not make assumptions about those ports. For each open port, Nessus runs a variety of checks to see what services are running there (HTTP, SMTP, FTP, Subseven, etc.). This means that a Web server answering on something other than the normal port 80 will still be found. Once a service has been identified, Nessus checks it for the relevant vulnerabilities.
Nessus will run on any POSIX system, such as Linux, FreeBSD, NetBSD, and Solaris. I'm running my Nessus server on Red Hat Linux 8.0 using an old PIII with only 256 MB, and it still does an awesome job. It's quite fast, but that's also a factor of the size of the network segment you're scanning.
The latest version of Nessus is 2.0.4 and is best installed as a stand-alone package that automatically installs itself. You can find it here. You'll also need to install the GTK, (The Gimp Toolkit), which has a link on the same page. Simply type sh nessus-installer.sh to use the auto-install feature.
If you prefer to work directly with the tarballs, you can download and compile these four files instead:
Compile them in this order:
To compile nessus-libraries, type:
After this, execute as root:
To compile libnasl, type:
Then, execute as root:
To compile nessus-core, type:
Next, execute as root:
To compile nessus-plugins, type:
After this, execute as root:
If you're using Linux, make sure that /usr/local/lib is listed in the /etc/ld.so.conf file and then execute the ldconfig command.
Setting up usernames and privileges
Once you have the server installed, you need to create the user database. Here, I'm creating the new user named eyeopenner, with the password findtheholes. Start by running the following command:
This will result in the prompts for information shown in Listing A.
After you've created your user accounts, you can tweak the configuration file parameters, if you want. The changelogs and readme files are a great place to find optimization tips.
To start the Nessus server, simply run the following command:
Getting the latest scan plug-ins
Once you've installed the server, you'll need to get the latest plug-ins from the Nessus site. From the Linux/UNIX system, you can do this directly (as the root user). Just type nessus-update-plugins. Your server will automatically download them for you. I recommend doing this at least once a week if you're scanning frequently. If you scan only now and then, just remember to update your plug-ins before each use.
You'll find the Windows GUI client here, along with other Windows-related download information. It is self-extracting and extremely easy to install and use.
Coming up next
We've seen how easy it is to set up Nessus. In my next article, I'll explain how you can put Nessus to work.
Remember to always get permission before scanning any hosts or networks. Anyone running scans without prior notice and permission will be seen as a hacker, no matter how good the intentions are.