Openvas 9 on Ubuntu 16.04 Setup


After a number of hours of fidling / tweaking i have finally gotten openvas 9 running smoothly including SSH authentication against secure ciphers.  The secure cipher part threw me a bit.  Below is a guide to help those of you struggling as I did.

Basic Installation
  •  Install Ubuntu 16.04LTS
 Make sure you update your newly installed system with the latest patches - security updates.
  • sudo apt-get update
  • sudo apt-get upgrade
  • sudo apt-get dist-upgrade
 Openvas9 is available as a package for Ubuntu 14.04 and Ubuntu 16.04.
  • sudo add-apt-repository ppa:mrazavi/openvas
  • sudo apt-get update
  • sudo apt-get install openvas9
Follow the prompts and answer yes for redis-server install.
Once installed,  run updates on the NVT to ensure you have the latest vulnerability tests.
  • sudo greenbone-nvt-sync
  • sudo greenbone-scapdata-sync
  • sudo greenbone-certdata-sync
The commands above may take a few minutes to run.  Once complete restart the openvas services to ensure they use the updated tests.
  • sudo /etc/init.d/openvas-manager restart
  • sudo /etc/init.d/openvas-scanner restart
There are additional components required to fully utilise openvas,  the best way to find out what is required is to download and use the openvas check tool.  It can be downloaded here.  Once downloaded run the application
  • ./openvas-check-setup --v9 
Once everything has been setup and you now have a fully functioning setup ,you can access the openvas server from your preferred brower @   
  • https://host-ip-address:4000
The default username/password is admin / admin however if the password is somehow set or you need to change the admin password to something more secure (preferable),  use the following command to do so.
  • sudo openvasmd --new-password=my_secure_password --user=admin
In order to run scans and properly identify vulnerabilities on your hosts / networks ,  its best to first setup the necessary credentials.  Go to configuration -> credentails. Click on the star in the top left hand corner to create a new credential.  You will need to setup Windows/SMB as well as Linux credentials for the different hosts within your organization.  Regarding SMB users ive had success with and without the domain name in the username field.

Openvas - SSH Strong Ciphers 

Its best practice to harden your ssh servers and this includes using strong ciphers.  The documentation regarding openvas and strong ciphers or lack thereof threw me for a bit. I couldnt find anything that clearly identified the problem or assisted me in being able to run authenticated tests,  so hopefully this will help you.

Whenever my authenticated checks failed,  I noticed the following errors in my openvassd.messages file. "Failed to set SSH key type 'ssh-ed25519'".
If you view /var/lib/openvas/plugins/ssh_fund.inc it indicates that for ed25519 you need to upgrade to libssh greater than 0.7.

Ubuntu 16.04 uses libssh0.6.3 , to successfully logon to ssh servers using secure ciphers it requires libssh0.7 and greater.  There is a ppa available that upgrades to a later version of libssh, but unfortunately this didnt work for me.  I needed to manually upgrade libssh,  below is the steps i followed.

You need to ensure your system has git,cmake and a few other packages installed.
  • sudo apt-get install git
  • sudo apt-get install build-essential
  • sudo apt-get install cmake
  • sudo apt-get install zlib1g-dev
  • sudo apt-get install libssl-dev
 Next install libssh
  • git clone git://git.libssh.org/projects/libssh.git libssh
  • cd libssh
  • mkdir build
  • cd build
  • cmake -DCMAKE_INSTALL_PREFIX=/usr ..
  • make
  • sudo make install
Link the default installed libssh binaries  to the new installed ones
  • cd  /usr/lib/x86_64-linux-gnu
  • rm libssh.so.4
  • rm libssh_threads.so.4
  • ln -s /usr/lib/libssh.so.4 libssh.so.4
  • ln -s /usr/lib/libssh_threads.so.4 libssh_threads.so.4
 Restart openvas scanner to ensure it uses the new binaries
  • /etc/init.d/openvas-scanner restart







Comments

Post a Comment

Popular posts from this blog

DSTV Now on Amazon Fire TV Stick

Hopefully this tutorial will help others in South Africa get DSTV now running on a Fire TV Stick. The latest version of DSTV Now requires a newer version of Google Play Services to work.  Im not 100% sure whether this too requires the Google Playstore to operate, but Ive included links to a newer version of this as well. There are a number of ways of installing apk files on the fire sticks.  Ive found the simplest is by using the adb options built into the fire stick tv.  Another simple way is to get the downloader app installed on your device and install the packages one by one.  In order to get the system ready for adb following the tutorial supplied by amazon here .  Once ready download the adblink software from here    There are clients for windows mac and inux. Goolge Account Manager 5.1.1743759 Short Link:   http://bit.ly/2bMbGEg Long Link :  http://www.apkmirror.com/apk/google-inc/google-account-manager/google-account-manager-5-1-1743759-release/google-account-manage
Read more

Update Openvas Feeds

To ensure openvas 9 is kept up to date and running the latest tests,  you need to sync the nvt, scap and cert data.  The best way to do this is to create a script that sync's the necessary data. Create a script under /usr/local/bin called update-openvas vi /usr/local/bin/update-openvas add the following contents to the file /usr/sbin/greenbone-nvt-sync /usr/sbin/greenbone-certdata-sync /usr/sbin/greenbone-scapdata-sync /usr/sbin/openvasmd --update --verbose --progress /etc/init.d/openvas-manager restart /etc/init.d/openvas-scanner restart save the file and make it executeable chmod a+x /usr/local/bin/update-openvas run the script to make sure it works and that there are no errors /usr/local/bin/update-openvas add the script to cron to run daily crontab -e add the following contents 1 1 * * * /usr/local/bin/update-openvas 1>/dev/null 2>/dev/null  the above cronjob will be run at 1 minute past 1 every day
Read more

Zabbix - adding apt update checks

Theres a number of articles on the internet on adding checks to package updates for Zabbix and Nagios.  I found the simplest way of doing this on Ubuntu is to use the update-notifier app-check application.   If you run /usr/lib/update-notifier/apt-check it will output the number of packages requiring updates as well as the number of security updates requiring updates. To apply this check to Zabbix add the following to a conf file within your zabbix_agentd.d directory. cd /etc/zabbix/zabbix_agentd.d vi apt_updates.conf  or something meaningfule  add the following content UnsafeUserParameters=1 Timeout=10 UserParameter=apt.available.updates,updates=$(/usr/lib/update-notifier/apt-check 2>&1);echo $updates | cut -d ";" -f 1 UserParameter=apt.security.updates,updates=$(/usr/lib/update-notifier/apt-check 2>&1);echo $updates | cut -d ";" -f 2 restart your zabbix agent The Timeout=10 is required as the script runs for a couple of seconds
Read more