Personal tools
You are here: Home Services Education Tutorials Nessus Installation and Setup
Contact information
rusecure@rutgers.edu
(732) 445-8011

RU Secure Home
 
Document Actions

Nessus Installation and Setup

last modified 2007-07-27 11:28

This is the Installation and Setup guide for the Nessus Vulnerability Scanner.


What is Nessus?

How to Install

Creating an SSL Certificate

Adding Users

Setting Rules

Removing Users


What is Nessus?

Nessus is a vulnerability scanner; that is, a tool that searches for known security problems in one’s network.

Many Unix-based operating systems (i.e. Linux and Solaris) include Nessus as part of their initial install package. If this software is bundled together we recommend using the factory installation and documentation.

Live Linux Distros (bootable Linux CDs) like the Network Security Toolkit also have Nessus preinstalled.

However, if you’re running Windows, or if your OS doesn’t have Nessus included in the installation package, you may install Nessus using one of the following methods detailed below.


How to Install

Option 1: Automatic install (via Nessus website)

You must be logged into your Unix operating system. Type the following command at any prompt:

lynx –source http://install.nessus.org | sh

This is the simplest method of installation; however, please note that you will be giving the install.nessus.org server temporary root (superuser) privileges.

You may also use this method if you are installing Nessus for the first time or to update your version of Nessus if it is already installed.

This will launch an automatic installation script, which will guide you through the install process. The install server will prompt you for your root password and sets up a temporary uid (which will be removed after installation.) You'll see the following:


--------------------------------------------------------------------------------

NESSUS INSTALLATION SCRIPT

--------------------------------------------------------------------------------

This script will retrieve the latest version of Nessus via CVS, and

will compile and install it on your system.

To run this script, you must know the root password of this host

and you need to be able to establish outgoing connections to port

2401/tcp or 80/tcp (through a proxy or directly)

Press a key to continue


You will be prompted to answer a few questions during installation. Hit enter at the prompts to choose the default settings.

Upon completion you will receive a confirmation message stating that Nessus has been successfully installed.


Option 2: Install via downloaded script

Visit www.nessus.org/download and select Nessus x.x.x installer (where x.x.x is the current version number).

Download the file (about 6 MB in size). If you’re downloading to a Windows PC you will need to FTP the file to the server where Nessus will be installed.

Once in Unix, run the following command: 

sh nessus-installer.sh

This will execute the installation script. From this point it is similar to the web install (as you will be guided by prompts allowing you to configure settings).

This method is somewhat less “automated” than the web install but is still simple and straightforward to execute. Also, it’s a “cleaner”, more secure install method because it does not alter any environment variables or allow another server to login as root. Finally, an internet connection is not required during installation because the script includes all necessary source code to be compiled.


Option 3: For advanced users

If you’d like to download and compile the source code manually, visit the following link for installation instructions : http://www.nessus.org/documentation/index.php?doc=install


How to create an SSL Certificate

A certificate needs to be generated to encrypt the traffic between the Nessus client and server components. This step must be completed before a connection can be established (and scans can be run).

Type in 

nessus-mkcert

at the Unix command prompt. This launches a script that creates the certificate.


You will be prompted with several questions, including:


Duration of CA certificate [default 1460 days]

Duration of server certificate [default 365 days]

Country (2-digit code) [default is FR]

State/province name [default is blank]

Location [default is Paris]

Organization [default is Nessus Users Organization]


After filling out all the fields, hit enter and the following confirmation screen is displayed.

Congratulations. Your server certificate was properly created.

/usr/local/etc/nessus/nessusd.conf updated

The following files were created :

. Certification authority :

Certificate = /usr/local/com/CA/cacert.pem

Private key = /usr/local/var/CA/cakey.pem


. Nessus Server :

Certificate = /usr/local/com/CA/servercert.pem

Private key = /usr/local/var/CA/serverkey.pem


Press [ENTER] to exit

This indicates that the server certificate has been properly created. This also gives the location of the certificates generated.


Adding and removing users on Nessus

You need to have at least one user set up in the database in order to login to the server (and thus run scans). You can add multiple users in case you want different users to have different scanning privileges (i.e. ability to scan only certain hosts).


To add users: Type the following command at the Unix command line (you must be logged in as root):


nessus-adduser


This executes a straightforward program which asks for the following items:

o Login

the login name of the nessusd user to add


o Authentification type

Authentication method (password or certificate). Password is the simplest and is recommended.


o Rules

the set of rules to apply to the user. Each user has his own set of rules.


After you have finished entering rules, or do not wish to add rules, hit <CNTL-D>. The program will ask for confirmation. Select “y” and the user is created.


What are these “rules” and why do I need them?

Rules restrict the rights of the users. For instance, you can add user "joe" so that he can only test the host "192.168.1.1", whereas you can add user "bob" so that he can test whatever IP address he wishes.

Each rule fits on one line. A user can have an unlimited amount of rules (and can even have no rule at all).


The syntax for each rule is:

accept ip/mask (or deny ip/mask)

and

default accept (or default deny)

Where mask is the CIDR netmask of the rule.

The “default” statement must be the last rule and defines the usual policy of the user.


Example #1: The following rule set will allow the user to test 192.168.1.0/24, 192.168.3.0/24 and 172.22.0.0/16, but nothing else:

accept 192.168.1.0/24

accept 192.168.3.0/24

accept 172.22.0.0/16

default deny


Example #2: The following rule set will allow the user to test whatever he or she wants, except the network 192.168.1.0/24:

deny 192.168.1.0/24

default accept


Example #3: The keyword client_ip has been defined, and is replaced at run time by the IP address of the nessusd user. If you want your users to be able to only be able to scan the system they come from, then you want them to have the following ruleset:

accept client_ip

default deny


How to remove users from Nessus

Type the following command at the Unix command line:

 nessus-rmuser

This prompts with “Login to remove:”. Type in the user loginID of the account you wish to remove.

There is no confirmation command so use care when performing this command. Also, note that even if the specified loginID doesn’t exist (or you hit enter without typing anything in), the confirmation message “user removed” is still displayed.

Alternatively, you may type in nessus-rmuser [<login>] and this will remove users as well.

Powered by Plone CMS, the Open Source Content Management System

This site conforms to the following standards: