Exercises: Nessus Install and use under FreeBSD: ccTLD Workshop

September 14, 2005

The Nessus website is http://www.nessus.org/

Note: The "#" and "$" characters before commands represents your system prompt and is not part of the command itself. "#" indicates a command issued as root while "$" indicates a command issued as a normal user.

Note 2: If you install software, update your environment as root and the change is not immediately available try typing rehash at the root shell prompt. This is only necessary when running a C shell (e.g., like /bin/csh).

Nessus installation using ports

You need to be root to do this. If you install the Nessus package you'll find that it doesn't come with a GUI. You want a GUI with Nessus, so we instal from ports. The Nessus website has good documentation on setting up Nessus post installation starting here:

Now to install do this:
# cd /usr/ports/security/nessus
# make install
Nessus will compile for quite some time. While it's doing this we'll take this chance to talk about what Nessus does and, possibly show it in action from your instructor's machine.

Now that the main Nessus program has compiled we still need to compile the plugins for Nessus. We do this separately by typing:

# cd /usr/ports/security/nessus-plugins
# make install
This, also, takes some time. You should see an indication that over 2,000 plugins were compiled! Don't forget to type:
# rehash
if you are using a C-shell.

Before you can run the Nessus daemon you need to make a local ssl certificate. To do this type:

# nessus-mkcert
You will be presented with several questions to answer. Here are the screens and the responses you should give:

                        Creation of the Nessus SSL Certificate

This script will now ask you the relevant information to create the SSL
certificate of Nessus. Note that this information will *NOT* be sent to
anybody (everything stays local), but anyone with the ability to connect to yourNessus daemon will be able to retrieve this information.

CA certificate life time in days [1460]: RETURN
Server certificate life time in days [365]: RETURN
Your country (two letter code) [FR]: ke
Your state or province name [none]:
Your location (e.g. town) [Paris]: Nairobi
Your organization [Nessus Users United]: ccTLD Workshop
If certficate generation works you should get a screen that looks like this:
                        Creation of the Nessus SSL Certificate
Congratulations. Your server certificate was properly created.

/usr/local/etc/nessus/nessusd.conf updated

The following files were created :

. Certification authority :
   Certificate = /usr/local/com/CA/cacert.pem
   Private key = /usr/local/var/CA/cakey.pem

. Nessus Server :
    Certificate = /usr/local/com/CA/servercert.pem
    Private key = /usr/local/var/CA/serverkey.pem

Press [ENTER] to exit
Now we need to create a Nessus userid that we can use when connecting to the Nessus server. This userid is separate from any system userid you may have. To do this type:
# nessus-adduser
Now you'll be presented with multiple choices to fill in. Follow the example below to create the Nessus userid ccltd with appropriate network filtering for our local network.
Login : cctld
Authentication (pass/cert) [pass] : RETURN
Login password :
Login password (again) :

User rules
nessusd has a rules system which allows you to restrict the hosts
that sanog has the right to test. For instance, you may want
them to be able to scan their own host only. Note the "nnn.nnn.nnn.0"
prefix should be substituted with our class IP prefix. The "xx" should
be our class allocation, which in this case is a /27. So, our class network is, and we want to only allow the user ccltd to scan in 
our network. This looksl ike this:

Please see the nessus-adduser(8) man page for the rules syntax

Enter the rules for this user, and hit ctrl-D once you are done :
(the user can have an empty rules set)

default deny

Login             : cctld
Password          : ***********
DN                :
Rules             :
default deny

Is that ok ? (y/n) [y]
user added
You could enable Nessus to boot every time you start your machine by adding the following line to your /etc/rc.conf file:
but, I would recommend against this unless you plan on using this machine heavily as a Nessus scanner.

Now you can start the Nessus daemon:

# nessusd -D
Now as a user other than root connect to the Nessus server on your local machine using the Nessus program:
$ nessus &
In the opening screen enter in the Nessus Login name you created (not your account name) and password, then press the "Log in" button.

At this point you could read in detail about configuring Nessus to be used exactly as you want here:

Or, you can follow these quick steps to run an initial scan using Nessus: If you scan on a subnet, then Nessus will give you meaninful aggregate results on the initial report page.

As you may note as you read through your report, Nessus has up-to-date security vulnerabilities listed via their web site.

You can configure Nessus using cron and by going to:

to get a "full plugin feed" and to stay up-to-date at all times if you wish. You will receive an activation code via email for plugins if you register your Nessus installation at the site above.


Hervey Allen

Last modified: Thu Sep 15 01:14:14 EAT 2005