The Nessus website is http://www.nessus.org/
Note: The "#" and "$" characters before commands represents your system prompt and is not part of the command itself. "#" indicates a command issued as root while "$" indicates a command issued as a normal user.
Note 2: If you install software, update your environment as root and the change is not immediately available try typing rehash at the root shell prompt. This is only necessary when running a C shell (e.g., like /bin/csh).
Nessus installation using ports
You need to be root to do this. If you install the Nessus package you'll find that it doesn't come with a GUI. You want a GUI with Nessus, so we instal from ports. The Nessus website has good documentation on setting up Nessus post installation starting here:
http://www.nessus.org/demo/index.php?step=1Now to install do this:
Nessus will compile for quite some time. While it's doing this we'll take this chance to talk about what Nessus does and, possibly show it in action from your instructor's machine.# cd /usr/ports/security/nessus
# make install
Now that the main Nessus program has compiled we still need to compile the plugins for Nessus. We do this separatel by typing:
This, also, takes some time. You should see an indication that over 2,000 plugins were compiled! Don't forget to type:# cd /usr/ports/security/nessus-plugins
# make install
# rehash
if you are using a C-shell.
Before you can run the Nessus daemon you need to make a local ssl certificate. To do this type:
# nessus-mkcert
You will be presented with several questions to answer. Here are the screens and the responses you should give:
-------------------------------------------------------------------------------
                        Creation of the Nessus SSL Certificate
-------------------------------------------------------------------------------
This script will now ask you the relevant information to create the SSL
certificate of Nessus. Note that this information will *NOT* be sent to
anybody (everything stays local), but anyone with the ability to connect to yourNessus daemon will be able to retrieve this information.
CA certificate life time in days [1460]: RETURN
Server certificate life time in days [365]: RETURN
Your country (two letter code) [FR]: fj
Your state or province name [none]:
Your location (e.g. town) [Paris]: Nadi
Your organization [Nessus Users United]: PacNOG Workshop
If certficate generation works you should get a screen that looks like this:
-------------------------------------------------------------------------------
                        Creation of the Nessus SSL Certificate
-------------------------------------------------------------------------------
Congratulations. Your server certificate was properly created.
/usr/local/etc/nessus/nessusd.conf updated
The following files were created :
. Certification authority :
   Certificate = /usr/local/com/CA/cacert.pem
   Private key = /usr/local/var/CA/cakey.pem
. Nessus Server :
    Certificate = /usr/local/com/CA/servercert.pem
    Private key = /usr/local/var/CA/serverkey.pem
Press [ENTER] to exit
Now we need to create a Nessus userid that we can use when connecting to the Nessus server. This userid is separate from any system userid you may have. To do this type:
# nessus-adduser
Now you'll be presented with multiple choices to fill in. Follow the example below to create the Nessus userid pacnog with appropriate network filtering for our local network.
You could enable Nessus to boot every time you start your machine by adding the following line to your /etc/rc.conf file:Login : pacnog Authentication (pass/cert) [pass] : RETURN Login password : Login password (again) : User rules ---------- nessusd has a rules system which allows you to restrict the hosts that pacnog has the right to test. For instance, you may want him to be able to scan his own host only. Please see the nessus-adduser(8) man page for the rules syntax Enter the rules for this user, and hit ctrl-D once you are done : (the user can have an empty rules set) accept 202.62.122.0/27 default deny Login : pacnog Password : *********** DN : Rules : accept 202.62.122.0/27 default deny Is that ok ? (y/n) [y] user added
but, I would recommend against this unless you plan on using this machine heavily as a Nessus scanner.nessusd_enable="YES"
Now you can start the Nessus daemon:
# nessusd -D
Now as a user other than root connect to the Nessus server on your local machine using the Nessus program:
$ nessus &
In the opening screen enter in the Nessus Login name you created (not your account name) and password, then press the "Log in" button.
At this point you could read in detail about configuring Nessus to be used exactly as you want here:
http://www.nessus.org/demo/index.php?step=2Or, you can follow these quick steps to run an initial scan using Nessus:
As you may note as you read through your report, Nessus has up-to-date security vulnerabilities listed via their web site.
You can configure Nessus using cron and by going to:
http://www.nessus.org/register/to get a "full plugin feed" and to stay up-to-date at all times if you wish. You will receive an activation code via email for plugins if you register your Nessus installation at the site above.
Hervey Allen