MAN page from RedHat 7.X nessus-server-1.0.7a-1.i386.rpm
Section: User Manuals (8)
Updated: Dec 1999Index
nessusd - The server part of the Nessus Security Scanner
SYNOPSISnessusd [-D] [-c CFG-FILE] [-a BIND] [-p PORT]
nessusd [-v] [-h] [-d]
nessusd [-C] [-L] [-K KEY] [-U USER] [-P USER[,[PWD]]]
nessusd [-X <key-file>]
or, using long options
nessusd [--background] [--config-file=CFG-FILE]rs
nessusd [--version] [--help] [--dump-cfg]
nessusd [--change-pass-phrase] [--list-keys]rs
The Nessus Security Scanneris a security auditing made up of two parts : a server, and a client.The server,nessusdis in charge of the attacks, while the client nessus(1)interfaces with the user.
Basically, thenessussuite is made of two parts, a client and a server. While the serveris described here, see the man page nessus(1) for a descriptionof the client. Optionally, the dialogue between server and client willbe encrypted by acipher layerif you configured yournessus-librariespackage (which is part of the nessussuite) as
./configure --enable-cipher ...
You are strongly encouraged to use the nessussuite with the cipher layer version, only.
The attacks performed bynessusd are coded as external modules (or plugins if you want) written indifferent languages.
Becausenessusdis a security scanner, it is dangerous to let everyone use it.This man page describes how to configurenessusdproperly, so that it can not freely be used for evil purposes.
QUICK TAKE OFF
When the superuserroot
server for the first time, nessusd
will do all setup automatically assumingsome defaults. If compiled with the cipher layer, you need toassign a one time password for the first user as
or, equivalently using short options
nessusd -P username,passwd
where there must be no space on either side of the usernameandpasswdseparating comma. You can dispatch that command, above while anothernessusdis already running (but wait until the pivate key is initiallygenerated.) To verify, that the entry has been stored, you may do a key data base lookup as
or, equivalently using short options
Now, let some nessusapplication login (see nessus(1))as userusernameand with passwordpasswd.Doing another key data base lookup you will see that the userpassword has been replaced by a public (El Gamal) user key.
- -D, --background
- Make the server run in background (daemon mode.)
- -c <config-file>, --config-file=<config-file>
- Use the alternate configuration file instead of /etc/nessusd.conf
- -a <address>, --listen=<address>
- Tell the server to only listen to the IP address<address>for possible connections. This address is not a machine name. Forinstance, nessusd -a 192.168.1.1will make nessusd only listen to requests going to 192.168.1.1This option is useful if you are running nessusd on a gateway and ifyou don't want people on the outside to connect to your nessusd.
- -p <port>, --port=<port>
- Tell the server to listen to the TCP port number <port> ratherthan listening to PCP port 1241 (default)
- -v, --version
- Writes the version number and exits
- -h, --help
- Show a summary of the commands
- -d, --dump-cfg
- Make the server dumps its compilation options
KEY MANAGEMENT OPTIONS
The key management options can be used while another instance ofnessusd
is already running. Modifications on the user key data basewill be honoured by the running instance. Ifnessusd
was invoked with a key manangement option, it will not startup as deamon. These options are available only if nessusd
is invoked as superuserroot
- -C, --change-pass-phrase
- Let nessusdsecure the private key by a personal pass phrase. Using this feature,a pass phrase is read from the command line (see getpass(1) fordetails upon the input device) which is consequently used to encryptthat key. Upon restart,nessusdwill not come up until you have entered the correct pass phrase.Once, thepass phrase is lost you can only delete the private key (usually in/etc/nessus/nessusd.private-keys.)
In order to remove the pass phrase from a key, you need to givean empty pass phrase.
The user and host key data base entries can be addressed by host, ornetwork specifications, or user names. A host, or networkspecification can be
a simple host name, or an IP address
a network written as network-address/netmask, where thenetwork-address can be a network name or an IP address and thenetmask may look like an IP address or a number indicating theleading bits, set (eg. 127.0.0.0/8 is the same as127.0.0.0/255.0.0.0)
a list host or network names concatenated by plus letters '+'like.127.0.0.0/8+cvs.nessus.org.
A user key looks similar to an email address. It can be
a simple name
a name followed by a commercial at '@' and a host, or a networkspecification like
Using the general form of a network specification which is a listof networks, a user key or password can be made valid for a particuarcollection client netwoks, all at once.
- -L, --list-keys
- List the entries in the user key data base.
- -K <key>, --delete-key=<key>
- Delete the user key from user the data base. The <key>argument can be a host, or user entry that matches the networkspecs associated with this key or the whole key literallyas listed with the -L, or --list-keys option.
For instance jordanAATT127.0.0.0/8+cvs.nessus.org does not matcha data base entry jordanAATT127.0.0.0/8+184.108.40.206 even ifcvs.nessus.org were resolved as 220.127.116.11. On the otherhand, jordanAATTlocalhost matches the data base entryjordanAATT127.0.0.0/8+cvs.nessus.org,
- -X <key-file>, --export-pubkey=<key-file>
- Export the public server key into the argument file <key-file>.If the key tag exists, already in the file and the key is the sameas the current one, nothing is done. If the key tag is found witha different key, an error is printed. Otherwise the key is appendedto the file.
If the argument <key-file> is a dash -, the current key isprinted to stdout.
- -U <user-name>, --list-user-pwd=<user-name>
- Print the plain text information of the user specification asstored in the date base. This is the number of login failures,the username and password, and the network access sepecification (ifavailable.)
The matching rules for the <user-name> argument are similar to theones decribed with the -K, or --delete-keys option,above.
- -P <user-pwd-mod>, --make-user=<user-pwd-mod>
- Add, delete or modify a user name with an assigned password asdescribed, below. User passwords are used only for the initialcommunication between server and client. Instead of manuallyputting the client key in a data base, a temporary password is used to initiate the connection. Server and client must have agreed upon using the same initial password.
Once, a client has logged in successfully, it will send a publickey to to the server. At subsequent connection set up, client andserver will use a challenge/response scheme for authentication.There will be no login password, anymore.
By default, there can be at most 5 login failures before a userpassword is destroyed, automagically.
A username is always part of the <user-pwd-mod> argument.Note that in the case that user exists already in the data base, thematching rules for the username against the data base aresimilar to the ones decribed with the -K, or --delete-keysoption, above.
-P username,passwd, --make-user=username,passwd
Add or replace the passwordpasswdfor the user username.
It may happen, that a a general network specs is replacedby a more restricted one when setting a new password due to thematching rules for the username.
-P username,, --make-user=username,
Delete the password entry for the user username.Note that the option argument ends with a comma.
-P username, --make-user=username
This option is somewhat similar to the -U, or--list-user-pwd option described, above. It lets nessusdprint some plain text information of the password data baseseparated by spaces as
<login-failures> <username> <password>
The option argument does not end with a comma, here.
THE CONFIGURATION FILE
The default nessusd configuration file is/etc/nessusd.conf.
It is made of lines looking like
<keyword> = <value>
or of comment lines that start with a hash#character. There follows a description of the keywords:
- Contains the location of the plugins folder. This is usually/usr/lib/nessus/plugins, but you may change this.
- path to the logfile. You can enter syslogif you want the nessusd messages to be logged viasyslogd(8)You may also enterstderrif you want the nessusd logs to be written on stdout.Because nessusd is a sensitive program, you should keep your logs. Soentering syslog is usually not a good idea and should be done onlyfor debugging purposes
- is maximum number of hosts to test at the same time which should begiven to the client (which can override it). This value must be computedgiven your bandwidth, the number of hosts you want to test, and so on.The more threads you activate, the more likely you will loose packetsduring the test, and the more likely you will miss vulnerabilities.On the other hand, the more threads you put, the faster your test willgo. I personnally tested 50 threads on a PII 450, with 128Mb of RAM, andthe test was smooth and quick against a /24 network.
- path to the user database
- path to the rules database
- Is the language you want nessusd to use when it sends its reports tothe client. The currently available languages are "english" and"francais" (french).
- Number of seconds that the security checks will wait for when doing a recv(). You should increase this value if you are running nessusd across a slow network link (testing a host via a dialup connection for instance)
- This is the name of thenessusdserver used to identify themself in the private key data base.
- The minimum key length for public keys.
- The path of the private key data base.
- The path of the publuc user key and password data base.
- The maximal number of login failured befor a temporary passwordis destroyed.
The other options in this file can usually be redefined by the client.
THE USERS DATABASE
The user database contains the list of the users that are allowed to usenessusd.Why making a list of users, instead of allowing only one ? Well, with the rulesfile which will be defined later in this document, you can set up a centralnessusd server in your company, and add users who will have the right to testonly a part of your network. For instance, you may want the R&D folks to testtheir part of the network, while you will test the rest. You can even configure nessusd so that everyone can test it to test only one's computer.
The user database has a very simple format which is :
- is the login name you want to add. This can be whatever you want.There must be a special entry : the user whose name is '*'. It isused for your public-key authentificated users.
- is the password associated with this user.The password is in plain textso check that the users database is in mode 0600. If you want the user tolog in via its public key, set this to nothing.
- The rules that apply to this specific user.A typical nessusd.users file would be :
# User foo, with password bar
# User oof authentificates using his public key :
THE RULE SET FORMAT
A rule has always the same format which is :
Keyword is one ofdeny,acceptordefault
In addition to this, the IP adress may be preceded byan exclamation mark (!) which means : 'not'There are three sources of rules :
- the rules database, which applies to every users
- the users database rules, which applies to one user
- the users rules, defined by the user in the client
You must know that there is a priority in the rules : the usercan not extend its privileges, but can only lower them.(that it, it can only restrict the set of hosts he is allowedto test).
THE RULES DATABASE
The rules database contains the system-wide rules, which appliesfor every user. Its syntax has been defined in the previous section.Example :
This allows the user to test localhost, and all the hosts on 192.168.0.0/16, except 192.168.1.1/32.
The rules accept the special keywordlient_ipwhich is replaced, at connection time, by the IP of the user who logsin. If you want everyone to test his own box only, then you can do :
MORE INFORMATION ABOUT THE NESSUS PROJECT
The canonical places where you will find more information about the Nessus project are :
http://www.nessus.org (Official site)
http://cvs.nessus.org (Developers site)
The Nessus Project was started and is being maintained by Renaud Deraison<deraisonAATTcvs.nessus.org>. The nessus server is mainly Copyright (C) 1998-1999Renaud Deraison, as well as most of the attack modules.
Jordan Hrycaj <jordanAATTmjh.teddy-net.com> is the author of the cipherlayer between the server and the client. The cipher library (libpeks)is (C) 1998-1999 Jordan Hrycaj
And several other people have been kind enough to send patch and bug reports.Thanks to them.
- QUICK TAKE OFF
- KEY MANAGEMENT OPTIONS
- THE CONFIGURATION FILE
- THE USERS DATABASE
- THE RULE SET FORMAT
- THE RULES DATABASE
- SEE ALSO
- MORE INFORMATION ABOUT THE NESSUS PROJECT
This document was created byman2html,using the manual pages.