Installing, Updating and Running Nessus

Nessus is free and open source vulnerability scanner. With some 16,000 plugins it can scan pretty much anything and come up with useful information. On Unix- like systems, Nessus is based upon the client-server model, consisting of nessusd, the daemon and nessus, the client. This is written for FreeBSD, but should work on other BSD/Linux distros without changing anything but the paths and installation commands.

Installation, Configuring and Updating

cd /usr/ports/security/nessus
make install clean
make cert

To download the latest plugins (each plugin runs tests against a specific vulnerability), register at nessus.org. Once you receive your activation code run /usr/local/bin/nessus-fetch --register [activation-code]. This will automatically update the plugins. To perform a manul update, run /usr/local/bin/nessus-fetch --plugins. This will download a .tar into your current directory, the plugins need to be extracted into /usr/local/lib/nessus/plugins. Add a user for Nessus: `

/usr/local/bin/nessus-adduser

At this point, a target file which specifies which hosts will be scanned needs to be created.

vim /root/nessus.targets

The syntax is rather flexible, it accepts one IP per line, CIDR notation (192.168.1.1/24) to scan an whole subnet, from-to (10.1.1.1-10.1.1.25) notation, and IPs separated by commas. Once finished, start the nessud daemon:

/usr/local/sbin/nessusd -D

` You should see something like Loading the plugins… 2040 (out of 15651).

Performing a Vulnerability Scan

To perform the scan and generate the results as a .html file use the following syntax: `

nessus -T [format] [host] [port] [user] [password] [targets-file] [result-file]

eg:

nessus -T html localhost 1241 nessususer password123 /root/nessus.targets /home/www/nessus.html

` Port 1241 is the default Nessus port. To keep things simple, set the paranoia level to 1 when prompted.

Centos 5 Notes

The rpm package will have to be downloaded and installed manually from the download page on nessus.org.

The default installation path is /opt/nessus/.
The config file location is /opt/nessus/etc/nessus/nessusd.conf.
To create a user: /opt/nessus/sbin/nessus-add-first-user.
To register: /opt/nessus/bin/nessus-fetch –register [activation-code].
To update: /opt/nessus/sbin/nessus-update-plugins.
Start nessud: service nessusd start.