Sunday, 20 April 2014

Ubuntu, Nessus authenticated scans.

With Heartbleed being reported literately everywhere now is a good time to start checking your home network for vulnerabilities beyond just heartbleed.

You can use the same tools as the pro's at home thanks to Tenable Home edition of Nessus with a generous 16 IP licence that should cover most home networks!

I have been using Nessus for over 10 years, I use it a lot in my job and now I can bring that good practice to my home network too.

The install process is quick and simple so much so I am not going to write down how to do it but assume you can mange it on your own :-).

Go here, signup get an activation code, download and install the relevant version for your OS.

If you managed to follow the on screen instructions then you will be able to login to the rich html5 Nessus server started on your PC.
Once up and running clearly you are going to scan your network looking for vulnerabilities. BUT I cannot stress this enough, the best way to get the most value out of Nessus is to use authenticated scans.

This means Nessus is able to login to the hosts its scanning to test and audit thoroughly. Below is how to set this up when the Nessus server and the target of the scan are both running linux.

We will use ssh authentication with certificates so there is no password and this is how I did it.

On the Nessus server.
sudo ssh-keygen -t dsa

This will create a public and private key pair, the public key will be copied to each remote linux machine you want to scan. The private key remains on the server and should be kept secure.

Next we need to create a user for nessus on the remote linux machine
sudo useradd -d /home/nessus -m nessus

Now because we are authenticating using certificates this account should not be given a password and the account should be locked.

As a password has not been set, it should be locked by default, but check the status of the account.
As root (sudo su)

passwd –S nessus

So the account can run as root add the nessus user to sudoers

sudo adduser nessus sudo

Now make a location for the public key

cd /home/nessus
mkdir .ssh

From the Nessus server copy the public key to the remote machine, this is a little annoying, as the location you need to place the public key in you don't have permission to write too. A work around is to copy it to a location to can write to then move it.

sudo scp /root/.ssh/ bob@
Now on the remote linux server we need to move, rename and change the permission on the public key.

sudo cp /home/bob/ /home/nessus/.ssh/authorized_keys

chown -R nessus:nessus /home/nessus/.ssh/
chmod 0600 /home/nessus/.ssh/authorized_keys
chmod 0700 /home/nessus/.ssh/

Now check your work. From the Nessus server we are going to run the id command over an ssh session. The first part of the command is referencing the private key you created earlier.

ssh -i /root/.ssh/id_dsa nessus@ id

All being well you should get back something like
uid=1001(nessus) gid=1001(nessus) groups=1001(nessus)

The first time I did this it failed as I was not referencing the correct private key.

Assuming this worked you can now create an Authenticated scan within Nessus.

More information on how to setup authenticated scans for other OS's can of course be found on the Tenable site.