I recently migrated Nessus from one UNIX server to another. Following
that, I ran the #nessus-uninstall command. However, when I portscan the
original server, I see that the nessus port is still open. Are there any
additional steps I need to take to completely erase all trace of Nessus
from the system?
-----Original Message-----
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of
nessus-request@list.nessus.org
Sent: Thursday, September 22, 2005 12:00 PM
To: nessus@list.nessus.org
Subject: Nessus Digest, Vol 23, Issue 20
Send Nessus mailing list submissions to
nessus@list.nessus.org
To subscribe or unsubscribe via the World Wide Web, visit
http://mail.nessus.org/mailman/listinfo/nessus
or, via email, send a message with subject or body 'help' to
nessus-request@list.nessus.org
You can reach the person managing the list at
nessus-owner@list.nessus.org
When replying, please edit your Subject line so it is more specific than
"Re: Contents of Nessus digest..."
Today's Topics:
1. Re: Scan aborting w/o log entry (mike.sleeper@srs.gov)
2. Re: Scan aborting w/o log entry (George A. Theall)
3. Long Delay After Login (eric)
4. Trying to connect remotly fron Win 2003 to Nessus on Linux
(Salam Y. ELIAS)
5. Trying to connect remotly fron Win 2003 to Nessus on Linux
(John Scherff)
6. Scanning multiple IP's provides weak results (andrewwhite)
7. RE: Trying to connect remotly fron Win 2003 to Nessus on
Linux (John Scherff)
8. RE: Scanning multiple IP's provides weak results (John Scherff)
9. Linux install question (John Laterra (MC/EPA))
10. RE: Linux install question (John Scherff)
11. Re: some preferences not provided from the nessus daemon? (J.K.)
12. Plugins Peer to Peer family (saverio.ferraro@fastwebnet.it)
13. Re: Plugins Peer to Peer family (Hubert Seiwert)
14. Re: Plugins Peer to Peer family (George A. Theall)
15. Re: some preferences not provided from the nessus daemon?
(George A. Theall)
16. RE: Trying to connect remotly fron Win 2003 to Nessus on
Linux (John Scherff)
----------------------------------------------------------------------
Message: 1
Date: Wed, 21 Sep 2005 12:11:36 -0400
From: mike.sleeper@srs.gov
Subject: Re: Scan aborting w/o log entry
To: Nessus@list.nessus.org
Message-ID:
<OFB54DB4FF.9120F753-ON85257082.006503C7-85257083.0058F407@srs.gov>
Content-Type: text/plain; charset="us-ascii"
Thanks for the pointer on strace...
I have a failover system, which I brought on-line (identical scripted
Nessus build) and launched the same scan with the same scripts and host
file. The scan ran successfully. I copied the .rc configuration file
back over to the problem system and it still does not initiate scanning.
Thereby, I think, ruling out the possibility of a config file error.
As
an FYI, cmdline scans are launched as : nessus -c ./$config1 -T nbe
-xq 127.0.0.1 1241 USER PASS ./$hostfile ./$outfile
There are no entries stating that a scan is launched or a session is
restored.
There are no entries saying that the client disconnected.
Command line client receives message (shown from strace):
ioctl(3, FIONREAD, [0]) = 0
write(2, "Communication closed by server\n", 31) = 31
write(2, "nessus: nessusd abruptly shut the communication down - the
test may be incomplete\n", 82) = 82
---- nessusd.messages entries ---
[Wed Sep 21 10:27:19 2005][9304] nessusd 2.2.5. started [Wed Sep 21
11:29:37 2005][9304] connection from 127.0.0.1 [Wed Sep 21 11:29:37
2005][9891] Client requested protocol version 12.
[Wed Sep 21 11:29:37 2005][9891] successful login of USERNAME from
127.0.0.1
[Wed Sep 21 11:30:29 2005][9891] user USERNAME : session will be saved
as /usr/local/var/nessus/users/USERNAME/sessions/20050921-113029-index
[Wed Sep 21 11:31:35 2005][9304] connection from 127.0.0.1 [Wed Sep 21
11:32:39 2005][9304] connection from 127.0.0.1 [Wed Sep 21 11:32:39
2005][9924] Client requested protocol version 12.
[Wed Sep 21 11:32:39 2005][9924] successful login of USERNAME from
127.0.0.1
[Wed Sep 21 11:33:34 2005][9924] user USERNAME : session will be saved
as /usr/local/var/nessus/users/USERNAME/sessions/20050921-113334-index
---END OF nessusd.messages---
I've run strace both with and without the SSL (Thanks for the reminder
to disable SSL, it made the output much easier to read :) I'm not seeing
anything that I can attribute to the problem.
I suspect I may just have to reload Nessus on that system, but I'd like
to
know what caused the problem to avoid the situation in the future.
"George A. Theall" <theall@tenablesecurity.com>
Sent by: nessus-bounces@list.nessus.org
09/20/2005 02:19 PM
To
Nessus@list.nessus.org
cc
Subject
Re: Scan aborting w/o log entry
On Tue, Sep 20, 2005 at 01:53:46PM -0400, mike.sleeper@srs.gov wrote:
Daily command line scans stopped working yesterday and I can find no
entries that reference any problems. This is a scripted process and
the
only change (that I can think of or find) would be the plugins.
...
I suspect I've apparently screwed something up, but I cannot figure
out
what it is. Any suggestions on what else I can look for?
Try following the nessusd and its child processes with strace while
launching a scan.
Alternatively, it might be useful to reconfigure nessusd to not use SSL
for communications (ie, set "ssl_version = NONE" in the client and
server configs, restart server) and trace the NTP messages sent to the
client.
nessusd.messages
====================
...
/usr/local/var/nessus/users/USERNAME/sessions/20050920-124431-index
........ repeated for each attempt (command line or gui with gui
showing
the actual IP address) ......
Do you see anything like:
user USERNAME starts a new scan...
user USERNAME restores a session...
George
--
theall@tenablesecurity.com
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mail.nessus.org/pipermail/nessus/attachments/20050921/caa5b153/at
tachment.html
------------------------------
Message: 2
Date: Wed, 21 Sep 2005 12:39:54 -0400
From: "George A. Theall" <theall@tenablesecurity.com>
Subject: Re: Scan aborting w/o log entry
To: Nessus@list.nessus.org
Message-ID: <43318CDA.2060506@tenablesecurity.com>
Content-Type: text/plain; charset=us-ascii
There are no entries stating that a scan is launched or a session is
restored.
Ok, this narrows the issue down a bit.
I've run strace both with and without the SSL (Thanks for the reminder
to disable SSL, it made the output much easier to read :)
I'm not seeing anything that I can attribute to the problem.
Would you mind sending me off-list a packet dump of the communications
between the client / server (w/o SSL) so I can see the underlying NTP
messages? Also, the output from strace (use the "-ff" and "-o" options)?
Don't forget to scrub any sensitive info (eg, login credentials).
George
--
theall@tenablesecurity.com
------------------------------
Message: 3
Date: Wed, 21 Sep 2005 11:38:38 -0500
From: eric <eric-list-nessus@catastrophe.net>
Subject: Long Delay After Login
To: nessus@list.nessus.org
Message-ID: <20050921163838.GJ26902@catastrophe.net>
Content-Type: text/plain; charset=us-ascii
I have a bit of a quirk with my nessus scanner.
First of all, I'm using the following version:
scanner$ /usr/local/sbin/nessusd -v
nessusd (Nessus) 2.2.2 for OpenBSD
(C) 1998 - 2004 Renaud Deraison <deraison@nessus.org>
When I start a scan (either using the command-line batch mode from
localhost
(172.19.141.198) or over the network using scan lite), the user can
login,
but then there is approximately a 30-120 second delay for the scan to
start.
Observe the following...
scanner$ tail -f nessusd.messages
[Wed Sep 21 11:30:27 2005][19143] Caught HUP signal - reconfiguring
nessusd
[Wed Sep 21 11:31:19 2005][3334] nessusd 2.2.2. started
[Wed Sep 21 11:31:49 2005][3334] connection from 172.19.141.198
[Wed Sep 21 11:31:49 2005][26664] Client requested protocol version 12.
[Wed Sep 21 11:31:49 2005][26664] successful login of scanuser from
172.19.141.198
[Wed Sep 21 11:33:06 2005][26664] Redirecting debugging output to
/data/scans/nessus/logs/nessusd.dump
[Wed Sep 21 11:33:49 2005][26664] user scanuser starts a new scan.
Target(s)
: 172.19.141.197, with max_hosts = 20 and max_checks = 4
[Wed Sep 21 11:33:49 2005][26664] user scanuser : testing 172.19.141.197
(172.19.141.197) [9738]
Notice that the user logs in at 11:31:49, but scans don't start till
11:33:49!
The length of time that the user is idle before scanning varies, but it
never seems to drop below 30 seconds.
Has anyone else run into this problem? There are no other scans going on
at
the time, and the machine (a dual P4 with 4GB of RAM) is completely
idle.
Thanks for any assistance. I've tried moving to 2.2.4 as well, but the
issue
persists.
- Eric
------------------------------
Message: 4
Date: Wed, 21 Sep 2005 19:53:54 +0200
From: "Salam Y. ELIAS" <salamlinux@free.fr>
Subject: Trying to connect remotly fron Win 2003 to Nessus on Linux
To: nessus@list.nessus.org
Message-ID: <1127325235.5959.17.camel@linux>
Content-Type: text/plain
Thanks everybody, my nessus server is working fine, thanks folks.
However, when running the client on Linux, it connects and I managed to
scan 2 servers. However, I downloaded the win32 version on a win 2003
box, I can not connect to the server on linux. Of course I ping the
linux machine. Iget the following error in the output window
ERROR: Cannot establish connection with 192.168.0.10 (Socket error 0).
So is there a config param to allow/Deny clients remotly?
Second question, in the win32 interface, in setting dialog box I have
the possibility to designate a database. On Linux I issue "nessus" on a
terminal session to laumchthe client, is there another way or just it is
not possible to point to a database.
Thanks
------------------------------
Message: 5
Date: Wed, 21 Sep 2005 11:33:16 -0700
From: "John Scherff" <JScherff@24hourfit.com>
Subject: Trying to connect remotly fron Win 2003 to Nessus on Linux
To: <nessus@list.nessus.org>
Message-ID:
<169658C0C845EC438759DB8B8BC70654D6D955@NOC-EXCH1.24hourfit.com>
Content-Type: text/plain; charset="us-ascii"
Is iptables running on the Linux server running Nessus? (My question
assumes you were running the X client on the same machine as the Nessus
daemon.) If it is, you'll have to open up port 1241.
-----Original Message-----
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of Salam Y. ELIAS
Sent: Wednesday, September 21, 2005 10:54 AM
To: nessus@list.nessus.org
Subject: Trying to connect remotly fron Win 2003 to Nessus on Linux
Thanks everybody, my nessus server is working fine, thanks folks.
However, when running the client on Linux, it connects and I managed to
scan 2 servers. However, I downloaded the win32 version on a win 2003
box, I can not connect to the server on linux. Of course I ping the
linux machine. Iget the following error in the output window
ERROR: Cannot establish connection with 192.168.0.10 (Socket error 0).
So is there a config param to allow/Deny clients remotly?
Second question, in the win32 interface, in setting dialog box I have
the possibility to designate a database. On Linux I issue "nessus" on a
terminal session to laumchthe client, is there another way or just it is
not possible to point to a database.
Thanks
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
------------------------------
Message: 6
Date: Wed, 21 Sep 2005 22:26:40 +0100
From: "andrewwhite" <andrewwhite@btinternet.com>
Subject: Scanning multiple IP's provides weak results
To: <nessus@list.nessus.org>
Message-ID:
<!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAz7gqYdO5/EeqTAYg5udXicKA
AAAQAAAAaQHEE/kS2kKw07Zo+B8uKwEAAAAA@btinternet.com>
Content-Type: text/plain; charset="us-ascii"
I am scanning multiple IP's in the Nessus target range. For example
10.10.10.10/27 it will scan and come back with hardly any information on
open ports which I know are open not even the ftp ports that are open.
However if I type a single IP into the target box and scan, it will come
back with the correct results.
What am I doing wrong here? Is it not good to scan many IP's, nmap from
command line has no problem.
Thanks for you time
Andy
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mail.nessus.org/pipermail/nessus/attachments/20050921/ab67b63b/at
tachment.html
------------------------------
Message: 7
Date: Wed, 21 Sep 2005 14:29:49 -0700
From: "John Scherff" <JScherff@24hourfit.com>
Subject: RE: Trying to connect remotly fron Win 2003 to Nessus on
Linux
To: <salamlinux@free.fr>
Cc: Nessus@list.nessus.org
Message-ID:
<169658C0C845EC438759DB8B8BC70654D6D959@NOC-EXCH1.24hourfit.com>
Content-Type: text/plain; charset="us-ascii"
Salam,
Okay, open /etc/sysconfig/iptables and add the following line below the
one that says --dport 22:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1241
-j ACCEPT
By the way, editing the /etc/sysconfig/iptables file is not usually the
best way to alter your Linux personal firewall, but for simple changes
like this, it's the quickest. Make sure you copy the original file to
iptables.orig or something like that.
Also, if you don't know iptables, you should learn it. It's a good way
to close up some of the vulnerabilities that Nessus finds - particularly
when there are no patches available to fix them.
- John Scherff
-----Original Message-----
From: Salam Y. ELIAS [mailto:salamlinux@free.fr]
Sent: Wednesday, September 21, 2005 2:08 PM
To: John Scherff
Subject: Re: Trying to connect remotly fron Win 2003 to Nessus on Linux
Enclosed is the iptabl;es file, to be honest with you, I have never
touched it. This is a fresh new install Fedora Core 4 I did 10 days ago
Thasnks again for your help
On Wed, 2005-09-21 at 12:54 -0700, John Scherff wrote:
Send me your /etc/sysconfig/iptables file so I can tell you without
breaking something else.
-----Original Message-----
From: Salam Y. ELIAS <salamlinux@free.fr>
To: John Scherff <JScherff@24hourfit.com>
Sent: Wed Sep 21 12:48:59 2005
Subject: RE: Trying to connect remotly fron Win 2003 to Nessus on
Linux
So many thanks, you are correct, I ran Nessus client on the linux
machine by typing nessus in a terminal session. However, when
connecting there is a box where this port is specified.
As I said, I am new to Linux and nessus, so how can I open the port,
how do I use IPTABLES? I have my Router who assign IPs to my machines,
my Linux has always 192.168.0.10
On Wed, 2005-09-21 at 11:32 -0700, John Scherff wrote:
Is iptables running on the Linux server running Nessus? (My
question
assumes you were running the X client on the same machine as the
Nessus
daemon.) If it is, you'll have to open up port 1241.
-----Original Message-----
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of Salam Y. ELIAS
Sent: Wednesday, September 21, 2005 10:54 AM
To: nessus@list.nessus.org
Subject: Trying to connect remotly fron Win 2003 to Nessus on Linux
Thanks everybody, my nessus server is working fine, thanks folks.
However, when running the client on Linux, it connects and I managed
to
scan 2 servers. However, I downloaded the win32 version on a win
2003
box, I can not connect to the server on linux. Of course I ping the
linux machine. Iget the following error in the output window
ERROR: Cannot establish connection with 192.168.0.10 (Socket error
0).
So is there a config param to allow/Deny clients remotly?
Second question, in the win32 interface, in setting dialog box I
have
the possibility to designate a database. On Linux I issue "nessus"
on a
terminal session to laumchthe client, is there another way or just
it is
not possible to point to a database.
Thanks
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
------------------------------
Message: 8
Date: Wed, 21 Sep 2005 15:09:25 -0700
From: "John Scherff" <JScherff@24hourfit.com>
Subject: RE: Scanning multiple IP's provides weak results
To: <nessus@list.nessus.org>
Message-ID:
<169658C0C845EC438759DB8B8BC70654D6D95C@NOC-EXCH1.24hourfit.com>
Content-Type: text/plain; charset="us-ascii"
Andy,
Comparing nmap to nessus ain't apples-to-apples. Nessus is a whole lot
busier behind the scenes than nmap is.
The answer to your question depends on the robustness of your network,
the horsepower of the machines your scanning, and myriad other factors.
Try tuning down Nessus' aggressiveness. The default for simultaneous
hosts and simultaneous checks per host is 30 and 10, respectively (I
think). That's 300 plugins on the dance floor at the same time. Try
friendlier values like 10 and 4 (40 simultaneous processes). If that
doesn't work, back it off to something smaller still.
There are many other things you can tune, too... check the
documentation. Keep in mind that the settings you specify in your
nessusd.conf file will be overridden by your .nessusrc file. If in
doubt, create a client config file you like and then force the client to
use it with the -c or --config-file switches. (Ignore my last two
sentences if you're using one of the GUI clients. You can set these
parameters somewhere in the GUI.)
John Scherff
________________________________
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of andrewwhite
Sent: Wednesday, September 21, 2005 2:27 PM
To: nessus@list.nessus.org
Subject: Scanning multiple IP's provides weak results
I am scanning multiple IP's in the Nessus target range.
For example 10.10.10.10/27 it will scan and come back with hardly any
information on open ports which I know are open not even the ftp ports
that are open. However if I type a single IP into the target box and
scan, it will come back with the correct results.
What am I doing wrong here? Is it not good to scan many
IP's, nmap from command line has no problem.
Thanks for you time
Andy
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mail.nessus.org/pipermail/nessus/attachments/20050921/46173bba/at
tachment.html
------------------------------
Message: 9
Date: Thu, 22 Sep 2005 09:43:05 +1000
From: "John Laterra (MC/EPA)" <john.laterra@ericsson.com>
Subject: Linux install question
To: Nessus@list.nessus.org
Message-ID:
<CF3A6B018CD5844BA8C3FC7E059725BF0664CE23@eaubrnt018.epa.ericsson.se>
Content-Type: text/plain; charset="iso-8859-1"
Hi all,
I am new to Linux and nessus,I have been using a windows version of the
scanner NewT.
I would like to make a bootable disc of the Linux version so I could
used it
on my notebook.
Can anyone help or point me to instruction on how to go about do this.
Many Thanks.
Regards
John
------------------------------
Message: 10
Date: Wed, 21 Sep 2005 23:31:37 -0700
From: "John Scherff" <JScherff@24hourfit.com>
Subject: RE: Linux install question
To: "John Laterra (MC/EPA)" <john.laterra@ericsson.com>,
<nessus@list.nessus.org>
Message-ID:
<169658C0C845EC438759DB8B8BC706544B65E4@NOC-EXCH1.24hourfit.com>
Content-Type: text/plain; charset="iso-8859-1"
John,
You don't need to make one. Do a google on Knoppix. Knoppix (in the
generic sense - there are a few of `em) is a canned distribution of
Linux in a single bootable ISO image. You create the CD (or for recent
versions, DVD), pop it into your Windoze computer, and reboot. Viola!
You have Linux with a bunch of handy utilities pre-installed. For IT
Security, Knoppix-STD (which stands for Security Tools Distribution) is
a good one, and has nessus and nmap pre-installed. You can find it at
http://www.knoppix-std.org. One caveat: most of the tools have newer
versions out now.
For more information about the Knoppix project, visit Klaus Knopper's
web site at http://www.knopper.net/knoppix/index-en.html (unless German
is your primary language, in which case you should go to
http://www.knoppix.org).
If Knoppix turns out not to be your thing, then check out
DistroWatch.com. There are a few bootable CD/DVD versions of various
*nixes there.
R/ John Scherff
24 Hour Fitness
It's the way we make you feel - you^24
-----Original Message-----
From: nessus-bounces@list.nessus.org on behalf of John Laterra (MC/EPA)
Sent: Wed 9/21/2005 4:43 PM
To: Nessus@list.nessus.org
Subject: Linux install question
Hi all,
I am new to Linux and nessus,I have been using a windows version of the
scanner NewT.
I would like to make a bootable disc of the Linux version so I could
used it
on my notebook.
Can anyone help or point me to instruction on how to go about do this.
Many Thanks.
Regards
John
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mail.nessus.org/pipermail/nessus/attachments/20050922/8376a2f7/at
tachment.html
------------------------------
Message: 11
Date: Thu, 22 Sep 2005 13:31:59 +0200
From: "J.K." <nessus@evas.nl>
Subject: Re: some preferences not provided from the nessus daemon?
To: nessus@list.nessus.org
Message-ID: <4332962F.3090302@evas.nl>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
George A. Theall wrote:
On Wed, Sep 21, 2005 at 03:27:30PM +0200, J.K. wrote:
We are using the NTP/1.2 protocol to get the preferences from the
nessus
daemon.
The following options, that are available in the Nessus interface, are
not provided when you ask the preferences from the daemon:
- unscanned_closed
- reverse_lookup
Are they specified in nessusd.conf? If they are, they should appear in
the response to a PREFERENCES message.
George
The values are not specified in the nessusd.conf. After adding them to
the nessusd.conf they indeed appear in the response to a PREFERENCES
message.
Shouldn't these values be present in the default configuration of
nessusd.conf? Is this a bug or standard (documented) behaviour?
Thanks in advance.
J.K.
------------------------------
Message: 12
Date: Thu, 22 Sep 2005 16:57:11 +0200
From: saverio.ferraro@fastwebnet.it
Subject: Plugins Peer to Peer family
To: nessus@list.nessus.org
Message-ID: <42F8A94300032045@ms001msg.mail.fw>
Content-Type: text/plain; charset="iso-8859-1"
hi,
DC++ Detection ID 18016
eMule ID 12233
Limewire is installed ID 11427
Morpheus ID 10751
I want to know why they don't detection the peer to peer installed on a
windows
machine?
Thanks
------------------------------
Message: 13
Date: Thu, 22 Sep 2005 16:26:36 +0100
From: Hubert Seiwert <hubert@westpoint.ltd.uk>
Subject: Re: Plugins Peer to Peer family
To: saverio.ferraro@fastwebnet.it
Cc: nessus@list.nessus.org
Message-ID: <4332CD2C.1040402@westpoint.ltd.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
saverio.ferraro@fastwebnet.it wrote:
I want to know why they don't detection the peer to peer installed on
a windows
machine?
DC++ Detection ID 18016
This is a registry check - you need to enable remote registry access and
give
Nessus Windows login credentials for this plugin to detect that DC++ is
installed.
eMule ID 12233
This should work if the host is running a version that opens port 4711
and
displays an "eMule" banner
Limewire is installed ID 11427
Also a registry check.
Morpheus ID 10751
Another registry check.
--
Hubert Seiwert
Internet Security Specialist, Westpoint Ltd
Albion Wharf, 19 Albion Street, Manchester M1 5LN, United Kingdom
Web: www.westpoint.ltd.uk
Tel: +44-161-2371028
------------------------------
Message: 14
Date: Thu, 22 Sep 2005 11:28:38 -0400
From: "George A. Theall" <theall@tenablesecurity.com>
Subject: Re: Plugins Peer to Peer family
To: nessus@list.nessus.org
Message-ID: <4332CDA6.7090605@tenablesecurity.com>
Content-Type: text/plain; charset=us-ascii
On Thu, Sep 22, 2005 at 04:57:11PM +0200, saverio.ferraro@fastwebnet.it
wrote:
DC++ Detection ID 18016
eMule ID 12233
Limewire is installed ID 11427
Morpheus ID 10751
I want to know why they don't detection the peer to peer installed on
a windows
machine?
In theory, they should.
The DC++ and Limewire plugins require SMB credentials to do a registry
check so make sure that you've set up Nessus for local checks of your
Windows systems.
The other two look at the headers returned from web servers embedded in
the software and hence don't require credentials. If you're having
trouble detecting those two, post packet dumps from trying a GET request
for the initial page on the appropriate host/port.
George
--
theall@tenablesecurity.com
------------------------------
Message: 15
Date: Thu, 22 Sep 2005 11:38:08 -0400
From: "George A. Theall" <theall@tenablesecurity.com>
Subject: Re: some preferences not provided from the nessus daemon?
To: nessus@list.nessus.org
Message-ID: <4332CFE0.1010502@tenablesecurity.com>
Content-Type: text/plain; charset=us-ascii
On Thu, Sep 22, 2005 at 01:31:59PM +0200, J.K. wrote:
Shouldn't these values be present in the default configuration of
nessusd.conf? Is this a bug or standard (documented) behaviour?
Surprisingly, it is documented as behaving this way. In
doc/ntp/ntp_white_paper_11.txt, in the section describing the
PREFERENCES message, you'll find the following note - "In fact, the
server will send to the client the content of the file nessusd.conf".
George
--
theall@tenablesecurity.com
------------------------------
Message: 16
Date: Thu, 22 Sep 2005 08:51:10 -0700
From: "John Scherff" <JScherff@24hourfit.com>
Subject: RE: Trying to connect remotly fron Win 2003 to Nessus on
Linux
To: <salamlinux@free.fr>
Cc: nessus@list.nessus.org
Message-ID:
<169658C0C845EC438759DB8B8BC70654D6D963@NOC-EXCH1.24hourfit.com>
Content-Type: text/plain; charset="us-ascii"
Salam,
Long answer:
Iptables and netfilter (the kernel component of iptables) is a
host-based firewall for UNIX-like operating systems. More specifically,
it is a stateful packet filter. (It has no application intelligence -
yet).
It's true that your broadband router gives you some protection against
the many threats lurking on the Internet, but in IT Security, we like to
take a defense-in-depth posture. Defense-in-depth means setting up
multiple layers of hurdles between the bad guy and the stuff you value.
For example, your broadband router (your first layer of defense) keeps
out most direct attack vectors from outside your home network, but what
if you or your wife/son/daughter/significantother downloads a game
infected with a virus or worm? Now the "bad guy" is inside. What if
the payload of that virus surreptitiously opens a covert channel (e.g.,
a VPN connection of some type) to a "bad guy" computer? He now has
unfettered access to your protected network. But if you have host-based
firewalls (your second layer of defense) installed and running on all
your computers, and if your operating systems are hardened and otherwise
pretty secure, he's going to have a hard time doing anything
significant.
If you have any ports open on the your host-based firewalls - say, SSH,
HTTP, HTTPS, FTP (the ones I remember seeing in your iptables dump) and
now Nessus, these represent an entry point through your second layer of
defense; however, if you keep your patches up-to-date and use very
strong passwords - e.g., minimum of 8 characters with a mixture of
uppercase, lowercase, numbers, special characters, and punctuation -
then you have an effective third layer of defense to keep the threats
out.
Note also that a broadband router combined with wireless opens up
another avenue of attack. If you don't use wireless encryption, or if
you do use it but you have a vulnerable wireless AP (like some Linksys
firmware versions), you have an open door into your home network. Even
if you're using 128-bit WEP, wardrivers and neighbors can hack into your
network with tools like AirSnort (granted, it takes a lot of time and a
lot of traffic for them to do that). Use WPA instead.
Short answer:
Keep iptables running. It is your friend.
John Scherff
24 Hour Fitness
It's the way we make you feel - you^24
P.S., while I'm thinking about it, turn uPnP off on your broadband
router, and make sure external web access is turned off, too.
-----Original Message-----
From: Salam Y. ELIAS [mailto:salamlinux@free.fr]
Sent: Thursday, September 22, 2005 4:16 AM
To: John Scherff
Subject: RE: Trying to connect remotly fron Win 2003 to Nessus on Linux
Wonderfull, so many thanks for your help.
However, there is something I dont catch, is iptables a service related
to TCP/IP networking stuff or a firewall that its name is iptables?
As I said, I have a router/Firewall ADSL Braodband which all my servers
are behind and it acts like a DHCP as well. So souyld I, or do I need
really iptables running?
On the other server, I stopped the firewall that ships with Win 2003
because I think the router/firewall is sufficient, NO?
Salam
On Wed, 2005-09-21 at 14:29 -0700, John Scherff wrote:
Salam,
Okay, open /etc/sysconfig/iptables and add the following line below
the one that says --dport 22:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1241
-j ACCEPT
By the way, editing the /etc/sysconfig/iptables file is not usually
the best way to alter your Linux personal firewall, but for simple
changes like this, it's the quickest. Make sure you copy the original
file to iptables.orig or something like that.
Also, if you don't know iptables, you should learn it. It's a good
way to close up some of the vulnerabilities that Nessus finds -
particularly when there are no patches available to fix them.
- John Scherff
-----Original Message-----
From: Salam Y. ELIAS [mailto:salamlinux@free.fr]
Sent: Wednesday, September 21, 2005 2:08 PM
To: John Scherff
Subject: Re: Trying to connect remotly fron Win 2003 to Nessus on
Linux
Enclosed is the iptabl;es file, to be honest with you, I have never
touched it. This is a fresh new install Fedora Core 4 I did 10 days
ago
Thasnks again for your help
On Wed, 2005-09-21 at 12:54 -0700, John Scherff wrote:
Send me your /etc/sysconfig/iptables file so I can tell you without
breaking something else.
-----Original Message-----
From: Salam Y. ELIAS <salamlinux@free.fr>
To: John Scherff <JScherff@24hourfit.com>
Sent: Wed Sep 21 12:48:59 2005
Subject: RE: Trying to connect remotly fron Win 2003 to Nessus on
Linux
So many thanks, you are correct, I ran Nessus client on the linux
machine by typing nessus in a terminal session. However, when
connecting there is a box where this port is specified.
As I said, I am new to Linux and nessus, so how can I open the port,
how do I use IPTABLES? I have my Router who assign IPs to my
machines,
my Linux has always 192.168.0.10
On Wed, 2005-09-21 at 11:32 -0700, John Scherff wrote:
Is iptables running on the Linux server running Nessus? (My
question
assumes you were running the X client on the same machine as the
Nessus
daemon.) If it is, you'll have to open up port 1241.
-----Original Message-----
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of Salam Y.
ELIAS
Sent: Wednesday, September 21, 2005 10:54 AM
To: nessus@list.nessus.org
Subject: Trying to connect remotly fron Win 2003 to Nessus on
Linux
Thanks everybody, my nessus server is working fine, thanks folks.
However, when running the client on Linux, it connects and I
managed
to
scan 2 servers. However, I downloaded the win32 version on a win
2003
box, I can not connect to the server on linux. Of course I ping
the linux machine. Iget the following error in the output window
ERROR: Cannot establish connection with 192.168.0.10 (Socket error
0).
So is there a config param to allow/Deny clients remotly?
Second question, in the win32 interface, in setting dialog box I
have
the possibility to designate a database. On Linux I issue "nessus"
on a
terminal session to laumchthe client, is there another way or just
it is
not possible to point to a database.
Thanks
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mail.nessus.org/pipermail/nessus/attachments/20050922/a57c4849/at
tachment.html
------------------------------
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
End of Nessus Digest, Vol 23, Issue 20
**************************************
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
