|
|
Line 1: |
Line 1: |
− | How To Use OpenVAS to Audit the Security of Remote Systems on Ubuntu 12.04
| + | ==Introduction== |
− | PostedJanuary 27, 2014 134.1k views Security Ubuntu
| |
− | Introduction | |
| | | |
− | An important aspect of server security is being proactive about security screening. If you expose any services to the internet, penetration testing is essential to ensure that you are not vulnerable to known threats.
| + | OpenVAS is an open source suite that can be used for vulnerability scanning and vulnerability management. It stands for Open Vulnerability Assessment System. OpenVAS is an excellent alternative to commercial security scanners such as Nessus, QualysGuard, etc. OpenVAS is divided into three parts: OpenVAS Scanner, OpenVAS Manager, and OpenVAS CLI. |
| | | |
− | The Open Vulnerability Assessment System, known more commonly as OpenVAS, is a suite of tools that work together to run tests against client computers using a database of known exploits and weaknesses. The goal is to learn about how well your servers are guarded against known attack vectors.
| + | In this tutorial, I will explain how to install OpenVAS Vulnerability Scanner on Ubuntu 16.04. |
| | | |
− | In this guide, we will install the OpenVAS suite on an Ubuntu 12.04 VPS. We can then use this system to scan itself and other servers.
| + | ==Prerequisites== |
− | Add the OpenVAS PPA and Install Software
| |
| | | |
− | Although there are some OpenVAS components in Ubuntu's default repositories, we will use a PPA that maintains updated versions of the packages.
| + | * A newly deployed Vultr Ubuntu 16.04 server instance. |
| + | * A non-root user with sudo privileges setup on your server. |
| + | * A static IP address of 192.168.15.110 configured on your system. |
| + | * The rsync package must be installed |
| | | |
− | To begin with, we need to install the python-software-properties package, which will allow us to work with PPAs easily.
| + | ==Step 1: Update the system== |
| | | |
− | sudo apt-get update
| + | First, update your system to the latest stable version by running the following commands: |
− | sudo apt-get install python-software-properties
| |
| | | |
− | We can then add the newest stable version to our system:
| + | sudo apt-get update -y |
| + | sudo apt-get upgrade -y |
| + | sudo reboot |
| | | |
− | sudo add-apt-repository ppa:openvas/openvas6
| + | ==Step 2: Install required dependencies== |
| | | |
− | We need to rebuild the apt database to gather information about the packages available through our new PPA. Afterwards, we can install the needed software:
| + | Before installing OpenVAS, you will need to install its required dependencies. To install them, run the following command: |
| | | |
− | sudo apt-get update
| + | sudo apt-get install python-software-properties |
− | sudo apt-get install openvas-manager openvas-scanner openvas-administrator openvas-cli greenbone-security-assistant sqlite3 xsltproc texlive-latex-base texlive-latex-extra texlive-latex-recommended htmldoc alien rpm nsis fakeroot | |
| | | |
− | This will download and install the components that are necessary to get us started.
| + | Next, you will also need to install SQLite for OpenVAS manager: |
− | Initial Configuration
| |
| | | |
− | We can create SSL certificates for OpenVAS using a wrapper utility that is included by default. We need to call this with administrative privileges so that it can be placed in a restricted portion of the file system.
| + | sudo apt-get install sqlite3 |
| | | |
− | sudo openvas-mkcert
| |
| | | |
− | You will be asked a number of questions that will help you build a certificate file for use with this server.
| + | ==Step 3: Install OpenVAS== |
| | | |
− | Most of the questions, you can just type ENTER to accept the default values. This is mainly for your own use, so input the values you would like to use.
| + | By default, the OpenVAS package is not available in the Ubuntu 16.04 repository, so you will need to add OpenVAS PPA to your system's repository list. |
| | | |
− | Next, we will create another certificate. This time, we will create a client certificate for a user named "om" this stands for OpenVAS Manager. We don't need any specific information for the client portion, so we will tell it to configure things automatically and install the certificates in the needed places:
| + | Add the OpenVAS PPA. |
| | | |
− | sudo openvas-mkcert-client -n om -i | + | sudo add-apt-repository ppa:mrazavi/openvas |
| + | sudo apt-get update |
| | | |
− | Build the Database Information
| + | Finally, install OpenVAS. |
| | | |
− | Now that we have our certificates installed, we can begin building our database so that our local tools are aware of different kinds of threats and vulnerabilities.
| + | sudo apt-get install openvas |
| | | |
− | Update the network vulnerability tests database by issuing this command:
| + | Once OpenVAS has finished installing, start the OpenVAS service with the following commands: |
| | | |
− | sudo openvas-nvt-sync | + | sudo systemctl start openvas-scanner |
− | | + | sudo systemctl start openvas-manager |
− | This will download the latest definitions to your local machine.
| + | sudo systemctl start openvas-gsa |
− | | |
− | To continue we'll need to stop the manager and scanner applications so that we can call the commands without a conflict momentarily.
| |
− | | |
− | Stop both of these services by typing:
| |
− | | |
− | sudo service openvas-manager stop
| |
− | sudo service openvas-scanner stop | |
− | | |
− | Now, we can start the scanner application without the parameters found in the init file that are usually called. During this first run, OpenVAS will need to download and sync a lot of data. This will take quite awhile:
| |
− | | |
− | sudo openvassd
| |
− | | |
− | Once this is finished, you'll have to rebuild the database generated by the scanner by typing:
| |
− | | |
− | sudo openvasmd --rebuild
| |
− | | |
− | Next, we will download and update our security content automation protocol data. This is known as "SCAP" data. This is another database that OpenVAS checks against for our security tests.
| |
− | | |
− | sudo openvas-scapdata-sync
| |
− | | |
− | This will be another long wait. It downloads some general files and then updates them in the database.
| |
− | | |
− | We will then run a similar sync operation for the cert data:
| |
− | | |
− | sudo openvas-certdata-sync
| |
− | | |
− | Running this command for the first time, you might see some errors. They may look something like this:
| |
− | | |
− | Error: no such table: meta
| |
− | | |
− | This is because the Ubuntu package is actually missing some files that are packaged in some other versions.
| |
− | | |
− | We can get these from an RPM package for the manager component. Type this to download it to your home directory:
| |
− | | |
− | cd
| |
− | wget http://www6.atomicorp.com/channels/atomic/fedora/18/i386/RPMS/openvas-manager-4.0.2-11.fc18.art.i686.rpm
| |
− | | |
− | Now that we have the file downloaded, we can extract and expand the directory structure present within the RPM. We can do this by typing:
| |
− | | |
− | rpm2cpio openvas* | cpio -div
| |
− | | |
− | We will create a directory for our new files in a place where OpenVAS will find them. We will then move the files into that directory:
| |
− | | |
− | sudo mkdir /usr/share/openvas/cert
| |
− | sudo cp ./usr/share/openvas/cert/* /usr/share/openvas/cert
| |
− | | |
− | Now, we can safely run the cert syncing command again, and it should complete as expected this time:
| |
− | | |
− | sudo openvas-certdata-sync
| |
− | | |
− | Afterwards, we can delete the extracted RPM data and directories from our home directory:
| |
− | | |
− | rm -rf ~/openvas* ~/usr ~/etc
| |
− | | |
− | Set Up OpenVAS User and Ports
| |
− | | |
− | To sign into our service, we will need a user. We can create one with the OpenVAS administrator component.
| |
− | | |
− | Here, we will create a user called "admin" with the role of administrator. You will be asked to provide a password to use for the new account:
| |
− | | |
− | sudo openvasad -c add_user -n admin -r Admin
| |
− | | |
− | You will be informed that the user has been granted unlimited access.
| |
− | | |
− | Next, we need to change the way one of our components starts up. The Greenbone Security Assistant component is a web-based interface to the tools we have installed.
| |
− | | |
− | By default, the interface is only accessible from the local computer. Since we are installing the OpenVAS suite on a remote server, we won't be able to access the web interface with these settings. We need to make it accessible from the internet.
| |
− | | |
− | Open the following file with root privileges in your preferred text editor:
| |
− | | |
− | sudo nano /etc/default/greenbone-security-assistant
| |
− | | |
− | Near the top, you should see a parameter that specifies the address that the web interface will listen on. We need to change the value from 127.0.0.1 to the public IP address of your VPS. This will let it listen to connections from the internet, and we will be able to connect:
| |
− | | |
− | GSA_ADDRESS=your_server_IP_address
| |
− | | |
− | Save and close the file when you have made the above modification.
| |
− | Start Up the Services
| |
− | | |
− | We will now start up the services that we have been configuring. Most of them are already running in some capacity, but we will have to restart them to make sure that they use the new information we have been gathering.
| |
− | | |
− | Start by killing all of the running OpenVAS scanner processes:
| |
− | | |
− | sudo killall openvassd
| |
− | | |
− | It can take up to 15 or 20 seconds for the process to actually be killed. You can check if there are processes still running by issuing:
| |
− | | |
− | ps aux | grep openvassd | grep -v grep
| |
− | | |
− | If anything is returned, then your processes have not finished yet and you should continue to wait.
| |
− | | |
− | Once the process exits completely, you can begin starting all of your services again:
| |
− | | |
− | sudo service openvas-scanner start
| |
− | sudo service openvas-manager start | |
− | sudo service openvas-administrator restart
| |
− | sudo service greenbone-security-assistant restart
| |
− | | |
− | Each of these may take a bit of time to start up.
| |
− | Access the Web Interface and Run Some Tests
| |
− | | |
− | Once the services have all started, you use your web browser to access the Greenbone Security Assistant web interface.
| |
− | | |
− | To access this, you must precede the address of your server with https://. You then enter either the domain name or IP address of your server followed by :9392.
| |
− | | |
− | https://server_domain_or_IP:9392
| |
− | | |
− | You will be presented with a scary looking warning screen telling you that the certificate is not signed by someone that your browser trusts by default:
| |
− | | |
− | OpenVAS security warning
| |
− | | |
− | This is expected and not a problem. You should click on the "Proceed anyway" button to continue.
| |
− | | |
− | Next, you will be presented with the login screen:
| |
− | | |
− | OpenVAS login screen
| |
− | | |
− | You will need to enter the username and password you configured earlier. For this guide, the username was "admin".
| |
− | | |
− | Once you sign in, you will be immediately greeted by a quick start wizard, which will allow you to run a default scan against a target computer right away:
| |
− | | |
− | OpenVAS startup wizard
| |
− | | |
− | A good choice is to run against another server that you own. It is important to not run these scans against targets that are not under your control, because they may look like potential attacks to other users.
| |
− | | |
− | Enter the IP address of the computer you wish to test against and click the "Start Scan" button to begin.
| |
− | | |
− | The page will update as the scan progresses and you can also refresh the page manually to track the progress:
| |
− | | |
− | OpenVAS scan progress
| |
− | | |
− | When the scan is complete (or even before if you want to review the information as it is coming in), you can click on the purple magnifying glass icon to see the results of the scan. It is normal for the scan to rest on 98% for a while before completing:
| |
− | | |
− | OpenVAS magnifying glass
| |
− | | |
− | You will be taken to an overview of the scan results. Note that the immediate scan that we have completed is not the most in-depth scan we have available.
| |
− | | |
− | OpenVAS scan results
| |
− | | |
− | At the bottom, you can see the report that OpenVAS created telling us of potential vulnerabilities in the system we scanned. We can see that the "Threat" level has been categorized as "Medium".
| |
− | | |
− | This means that at least one vulnerability has been found in the system of the rating of "medium". We can find out more by clicking on the magnifying glass again.
| |
− | | |
− | This will take us to a full report of the findings. In the top portion, you have the option to download the results in various formats:
| |
− | | |
− | OpenVAS scan download
| |
− | | |
− | In the middle section, we can filter the results. By default, the interface will only show threats marked "high" or "medium". On your first time through, you should probably check all of the boxes under the "Threat" category. Click "Apply" to implement this:
| |
− | | |
− | OpenVAS filtering
| |
− | | |
− | The bottom section tells us about the specific items that were found. If you selected all of the boxes above, you will see some informational messages about open ports and similar findings.
| |
− | | |
− | The threats will be color-coded to match their button color. For instance, this is our medium threat:
| |
− | | |
− | OpenVas medium threat
| |
− | | |
− | This warning tells us that our target responds to timestamp requests. These requests can let an attacker know how long the host has been online continuously. This could let an attacker know that the host is vulnerable to any recent exploits.
| |
− | | |
− | As you can see, the report also includes information about how to address the issue.
| |
− | Conclusion
| |
− | | |
− | You should now have a fully functional OpenVAS server set up to scan your hosts. This can help you spot vulnerabilities and highlight areas to focus on when you are tightening up security.
| |
− | | |
− | We have only shown a bare minimum of the functionality of the OpenVAS security suite. Among other tasks, you can easily schedule scans, automatically generate reports, and email alerts when certain threat levels are generated. Explore the Greenbone Security Assistant interface and take advantage of the great built-in help system to learn more about your options.
| |
− | By Justin Ellingwood
| |
| | | |
| + | ==Step 4: Allow OpenVAS through the system firewall== |
| | | |
| + | By default, OpenVAS runs on port 443, so you will need to allow this port through the UFW firewall. |
| | | |
| + | sudo ufw allow https |
| | | |
| + | ==Step 5: Access OpenVAS web interface== |
| | | |
| + | Before accessing OpenVAS, you will need to update its vulnerability database. |
| | | |
| + | sudo openvas-nvt-sync |
| | | |
| + | Once the database is up-to-date, open your web browser and type the URL https://192.168.15.110/. On the login page, provide the default username (admin) and password (admin). After logging in, you will be presented with the OpenVAS dashboard. |
| | | |
| + | If you want to change the admin user's password from command line, run the following command: |
| | | |
− | ==Referensi== | + | sudo openvasmd --user=admin --new-password=<new-password> |
| | | |
− | * https://www.digitalocean.com/community/tutorials/how-to-use-openvas-to-audit-the-security-of-remote-systems-on-ubuntu-12-04
| + | Congratulations! You have successfully installed OpenVAS on your Ubuntu 16.04 server. |
Introduction
OpenVAS is an open source suite that can be used for vulnerability scanning and vulnerability management. It stands for Open Vulnerability Assessment System. OpenVAS is an excellent alternative to commercial security scanners such as Nessus, QualysGuard, etc. OpenVAS is divided into three parts: OpenVAS Scanner, OpenVAS Manager, and OpenVAS CLI.
In this tutorial, I will explain how to install OpenVAS Vulnerability Scanner on Ubuntu 16.04.
Prerequisites
- A newly deployed Vultr Ubuntu 16.04 server instance.
- A non-root user with sudo privileges setup on your server.
- A static IP address of 192.168.15.110 configured on your system.
- The rsync package must be installed
Step 1: Update the system
First, update your system to the latest stable version by running the following commands:
sudo apt-get update -y
sudo apt-get upgrade -y
sudo reboot
Step 2: Install required dependencies
Before installing OpenVAS, you will need to install its required dependencies. To install them, run the following command:
sudo apt-get install python-software-properties
Next, you will also need to install SQLite for OpenVAS manager:
sudo apt-get install sqlite3
Step 3: Install OpenVAS
By default, the OpenVAS package is not available in the Ubuntu 16.04 repository, so you will need to add OpenVAS PPA to your system's repository list.
Add the OpenVAS PPA.
sudo add-apt-repository ppa:mrazavi/openvas
sudo apt-get update
Finally, install OpenVAS.
sudo apt-get install openvas
Once OpenVAS has finished installing, start the OpenVAS service with the following commands:
sudo systemctl start openvas-scanner
sudo systemctl start openvas-manager
sudo systemctl start openvas-gsa
Step 4: Allow OpenVAS through the system firewall
By default, OpenVAS runs on port 443, so you will need to allow this port through the UFW firewall.
sudo ufw allow https
Step 5: Access OpenVAS web interface
Before accessing OpenVAS, you will need to update its vulnerability database.
sudo openvas-nvt-sync
Once the database is up-to-date, open your web browser and type the URL https://192.168.15.110/. On the login page, provide the default username (admin) and password (admin). After logging in, you will be presented with the OpenVAS dashboard.
If you want to change the admin user's password from command line, run the following command:
sudo openvasmd --user=admin --new-password=<new-password>
Congratulations! You have successfully installed OpenVAS on your Ubuntu 16.04 server.