SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG
DONATE


YUM REPOSITORY

 
 

MAN page from RedHat 7.X nessus-server-1.0.7a-1.i386.rpm

NESSUSD

Section: User Manuals (8)
Updated: Dec 1999
Index 

NAME

nessusd - The server part of the Nessus Security Scanner
 

SYNOPSIS

nessusd [-D] [-c CFG-FILE] [-a BIND] [-p PORT]

nessusd [-v] [-h] [-d]

nessusd [-C] [-L] [-K KEY] [-U USER] [-P USER[,[PWD]]]

nessusd [-X <key-file>]

or, using long options

nessusd [--background] [--config-file=CFG-FILE]rs
[--listen=BIND] [--port=PORT]

nessusd [--version] [--help] [--dump-cfg]

nessusd [--change-pass-phrase] [--list-keys]rs
[--delete-key=KEY] rs
[--list-user-pwd=USER] [--make-user=USER[,[PWD]]]

nessus [--export-pubkey=<key-file>] 

DESCRIPTION

The Nessus Security Scanneris a security auditing made up of two parts : a server, and a client.The server,nessusdis in charge of the attacks, while the client nessus(1)interfaces with the user.

Basically, thenessussuite is made of two parts, a client and a server. While the serveris described here, see the man page nessus(1) for a descriptionof the client. Optionally, the dialogue between server and client willbe encrypted by acipher layerif you configured yournessus-librariespackage (which is part of the nessussuite) as

./configure --enable-cipher ...

You are strongly encouraged to use the nessussuite with the cipher layer version, only.

The attacks performed bynessusd are coded as external modules (or plugins if you want) written indifferent languages.

Becausenessusdis a security scanner, it is dangerous to let everyone use it.This man page describes how to configurenessusdproperly, so that it can not freely be used for evil purposes.

 

QUICK TAKE OFF

When the superuserrootstarts thenessusdserver for the first time, nessusdwill do all setup automatically assumingsome defaults. If compiled with the cipher layer, you need toassign a one time password for the first user as

nessusd --make-user=username,passwd

or, equivalently using short options

nessusd -P username,passwd

where there must be no space on either side of the usernameandpasswdseparating comma. You can dispatch that command, above while anothernessusdis already running (but wait until the pivate key is initiallygenerated.) To verify, that the entry has been stored, you may do a key data base lookup as

nessusd --list-keys

or, equivalently using short options

nessusd -L

Now, let some nessusapplication login (see nessus(1))as userusernameand with passwordpasswd.Doing another key data base lookup you will see that the userpassword has been replaced by a public (El Gamal) user key.

 

OPTIONS

-D, --background
Make the server run in background (daemon mode.)
-c <config-file>, --config-file=<config-file>
Use the alternate configuration file instead of /etc/nessusd.conf
-a <address>, --listen=<address>
Tell the server to only listen to the IP address<address>for possible connections. This address is not a machine name. Forinstance, nessusd -a 192.168.1.1will make nessusd only listen to requests going to 192.168.1.1This option is useful if you are running nessusd on a gateway and ifyou don't want people on the outside to connect to your nessusd.
-p <port>, --port=<port>
Tell the server to listen to the TCP port number <port> ratherthan listening to PCP port 1241 (default)
-v, --version
Writes the version number and exits
-h, --help
Show a summary of the commands
-d, --dump-cfg
Make the server dumps its compilation options

 

KEY MANAGEMENT OPTIONS

The key management options can be used while another instance ofnessusdis already running. Modifications on the user key data basewill be honoured by the running instance. Ifnessusdwas invoked with a key manangement option, it will not startup as deamon. These options are available only if nessusdis invoked as superuserroot.
-C, --change-pass-phrase
Let nessusdsecure the private key by a personal pass phrase. Using this feature,a pass phrase is read from the command line (see getpass(1) fordetails upon the input device) which is consequently used to encryptthat key. Upon restart,nessusdwill not come up until you have entered the correct pass phrase.Once, thepass phrase is lost you can only delete the private key (usually in/etc/nessus/nessusd.private-keys.)

In order to remove the pass phrase from a key, you need to givean empty pass phrase.

The user and host key data base entries can be addressed by host, ornetwork specifications, or user names. A host, or networkspecification can be

a simple host name, or an IP address

a network written as network-address/netmask, where thenetwork-address can be a network name or an IP address and thenetmask may look like an IP address or a number indicating theleading bits, set (eg. 127.0.0.0/8 is the same as127.0.0.0/255.0.0.0)

a list host or network names concatenated by plus letters '+'like.127.0.0.0/8+cvs.nessus.org.

A user key looks similar to an email address. It can be

a simple name

a name followed by a commercial at '@' and a host, or a networkspecification like
jordanAATT127.0.0.0/8+cvs.nessus.org.

Using the general form of a network specification which is a listof networks, a user key or password can be made valid for a particuarcollection client netwoks, all at once.

-L, --list-keys
List the entries in the user key data base.
-K <key>, --delete-key=<key>
Delete the user key from user the data base. The <key>argument can be a host, or user entry that matches the networkspecs associated with this key or the whole key literallyas listed with the -L, or --list-keys option.

For instance jordanAATT127.0.0.0/8+cvs.nessus.org does not matcha data base entry jordanAATT127.0.0.0/8+212.198.14.17 even ifcvs.nessus.org were resolved as 212.198.14.17. On the otherhand, jordanAATTlocalhost matches the data base entryjordanAATT127.0.0.0/8+cvs.nessus.org,

-X <key-file>, --export-pubkey=<key-file>
Export the public server key into the argument file <key-file>.If the key tag exists, already in the file and the key is the sameas the current one, nothing is done. If the key tag is found witha different key, an error is printed. Otherwise the key is appendedto the file.

If the argument <key-file> is a dash -, the current key isprinted to stdout.

-U <user-name>, --list-user-pwd=<user-name>
Print the plain text information of the user specification asstored in the date base. This is the number of login failures,the username and password, and the network access sepecification (ifavailable.)

The matching rules for the <user-name> argument are similar to theones decribed with the -K, or --delete-keys option,above.

-P <user-pwd-mod>, --make-user=<user-pwd-mod>
Add, delete or modify a user name with an assigned password asdescribed, below. User passwords are used only for the initialcommunication between server and client. Instead of manuallyputting the client key in a data base, a temporary password is used to initiate the connection. Server and client must have agreed upon using the same initial password.

Once, a client has logged in successfully, it will send a publickey to to the server. At subsequent connection set up, client andserver will use a challenge/response scheme for authentication.There will be no login password, anymore.

By default, there can be at most 5 login failures before a userpassword is destroyed, automagically.

A username is always part of the <user-pwd-mod> argument.Note that in the case that user exists already in the data base, thematching rules for the username against the data base aresimilar to the ones decribed with the -K, or --delete-keysoption, above.

-P username,passwd, --make-user=username,passwd
Add or replace the passwordpasswdfor the user username.

It may happen, that a a general network specs is replacedby a more restricted one when setting a new password due to thematching rules for the username.

-P username,, --make-user=username,
Delete the password entry for the user username.Note that the option argument ends with a comma.

-P username, --make-user=username
This option is somewhat similar to the -U, or--list-user-pwd option described, above. It lets nessusdprint some plain text information of the password data baseseparated by spaces as

<login-failures> <username> <password>

The option argument does not end with a comma, here.

 

THE CONFIGURATION FILE

The default nessusd configuration file is/etc/nessusd.conf.It is made of lines looking like

<keyword> = <value>

or of comment lines that start with a hash#character. There follows a description of the keywords:

plugins_folder
Contains the location of the plugins folder. This is usually/usr/lib/nessus/plugins, but you may change this.
logfile
path to the logfile. You can enter syslogif you want the nessusd messages to be logged viasyslogd(8)You may also enterstderrif you want the nessusd logs to be written on stdout.Because nessusd is a sensitive program, you should keep your logs. Soentering syslog is usually not a good idea and should be done onlyfor debugging purposes
max_threads
is maximum number of hosts to test at the same time which should begiven to the client (which can override it). This value must be computedgiven your bandwidth, the number of hosts you want to test, and so on.The more threads you activate, the more likely you will loose packetsduring the test, and the more likely you will miss vulnerabilities.On the other hand, the more threads you put, the faster your test willgo. I personnally tested 50 threads on a PII 450, with 128Mb of RAM, andthe test was smooth and quick against a /24 network.
users
path to the user database
rules
path to the rules database
language
Is the language you want nessusd to use when it sends its reports tothe client. The currently available languages are "english" and"francais" (french).

checks_read_timeout
Number of seconds that the security checks will wait for when doing a recv(). You should increase this value if you are running nessusd across a slow network link (testing a host via a dialup connection for instance)

peks_username
This is the name of thenessusdserver used to identify themself in the private key data base.
peks_keylen
The minimum key length for public keys.
peks_keyfile
The path of the private key data base.
peks_usrkeys
The path of the publuc user key and password data base.
peks_pwdfail
The maximal number of login failured befor a temporary passwordis destroyed.

The other options in this file can usually be redefined by the client.

 

THE USERS DATABASE

The user database contains the list of the users that are allowed to usenessusd.Why making a list of users, instead of allowing only one ? Well, with the rulesfile which will be defined later in this document, you can set up a centralnessusd server in your company, and add users who will have the right to testonly a part of your network. For instance, you may want the R&D folks to testtheir part of the network, while you will test the rest. You can even configure nessusd so that everyone can test it to test only one's computer.

The user database has a very simple format which is :

user:password[rules]

Where :

user
is the login name you want to add. This can be whatever you want.There must be a special entry : the user whose name is '*'. It isused for your public-key authentificated users.

password
is the password associated with this user.The password is in plain textso check that the users database is in mode 0600. If you want the user tolog in via its public key, set this to nothing.
rules
The rules that apply to this specific user.A typical nessusd.users file would be :


# User foo, with password bar
foo:bar
deny 192.168.1.1/32
accept 192.168.0.0/16
default deny

#
# User oof authentificates using his public key :
#
oof:
deny 192.168.1.1/24
accept 192.168.0.0/16
default deny

 

THE RULE SET FORMAT

A rule has always the same format which is :
       keyword IP/mask

Keyword is one ofdeny,acceptordefault

In addition to this, the IP adress may be preceded byan exclamation mark (!) which means : 'not'There are three sources of rules :

*
the rules database, which applies to every users
*
the users database rules, which applies to one user
*
the users rules, defined by the user in the client

You must know that there is a priority in the rules : the usercan not extend its privileges, but can only lower them.(that it, it can only restrict the set of hosts he is allowedto test).

 

THE RULES DATABASE

The rules database contains the system-wide rules, which appliesfor every user. Its syntax has been defined in the previous section.Example :

       accept 127.0.0.0/8

       deny 192.168.1.1/32

       deny !192.168.0.0/16

       default deny

This allows the user to test localhost, and all the hosts on 192.168.0.0/16, except 192.168.1.1/32.
The rules accept the special keywordlient_ipwhich is replaced, at connection time, by the IP of the user who logsin. If you want everyone to test his own box only, then you can do :
       accept client_ip/32

       default deny

        

 

SEE ALSO

nessus(1), nessus-adduser(8),getpass(1),nmap(1) 

MORE INFORMATION ABOUT THE NESSUS PROJECT

The canonical places where you will find more information about the Nessus project are :

http://www.nessus.org (Official site)
http://cvs.nessus.org (Developers site) 

AUTHORS

The Nessus Project was started and is being maintained by Renaud Deraison<deraisonAATTcvs.nessus.org>. The nessus server is mainly Copyright (C) 1998-1999Renaud Deraison, as well as most of the attack modules.

Jordan Hrycaj <jordanAATTmjh.teddy-net.com> is the author of the cipherlayer between the server and the client. The cipher library (libpeks)is (C) 1998-1999 Jordan Hrycaj

And several other people have been kind enough to send patch and bug reports.Thanks to them.


 

Index

NAME
SYNOPSIS
DESCRIPTION
QUICK TAKE OFF
OPTIONS
KEY MANAGEMENT OPTIONS
THE CONFIGURATION FILE
THE USERS DATABASE
THE RULE SET FORMAT
THE RULES DATABASE
SEE ALSO
MORE INFORMATION ABOUT THE NESSUS PROJECT
AUTHORS

This document was created byman2html,using the manual pages.