Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Nessus Scan Against Linux Box?

Posted on 2010-11-23
12
Medium Priority
?
1,275 Views
Last Modified: 2013-11-15
I installed Nessus 4.4 Homefeed on an Ubuntu 10.04 machine. I can run scans against Windows machines and get good data from the test. I've tried running scans against Linux machines but never find any high vulnerabilities. At first I thought it was a credential problem so I tried running scans against the localhost where Nessus is installed and get similar results (no high vulnerabilities). I've entered the correct root password in the SSH section to no avail.

I thought that maybe.. just maybe my Linux system was secure and up to date. So I installed a fresh copy of Ubuntu 8.04 in a VM then installed Nessus 4.4 in it. I created a new policy with all plugins enabled and tried with both blank credentials and root credentials but no high vulnerabilities are detected. I've tried this on several different Ubuntu systems and get the similar results (never any high vulnerabilities). I know this Ubuntu instance is vulnerable because the Ubuntu Update Manager tells me I'm missing 263 "Important Security Updates".

When I run the scans, I've tried using both my local eth0 IP address and "localhost" as the target. Am I missing something? Am I doing something wrong?
0
Comment
Question by:ro6ot
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
  • +1
12 Comments
 
LVL 12

Expert Comment

by:hfraser
ID: 34202500
It sounds like you're doing things correctly. I'm assuming from your description that Nessus is finding some other issues so you know it's scanning; it will normally skip any target it can't ping.

Check the target log files to see if there are some obvious issues, like root login disabled from remote sites.

One of the secure installations I have included connection throttling rules in iptables to drop connections if a host makes multiple connections in a short period of time. Check iptables after doing a Nessus scan to see if it's being dropped.
0
 
LVL 1

Author Comment

by:ro6ot
ID: 34202602
I just checked /etc/ssh/sshd_config and "PermitRootLogin" is set to "yes"

I manually turned off the firewall so I don't think any rules are dropping the connection.  I find lots of low vulnerabilities but never any high one.
0
 
LVL 12

Expert Comment

by:hfraser
ID: 34215101
Check to make sure you've got the correct Linux policies/plugins enabled. Also, not all plugins require authentication, so it's entirely possible to get results without a successful login. But to check patches, updates, etc., the login as root does need to work, so double check the credentials in your scan.
0
WEBINAR - Latest Cyber Tips for Defense

Join the WatchGuard Threat Research Team on October 26th for an informative webinar featuring expert tips and tricks for defending your organization from today's latest cyber threats. Don't leave yourself vulnerable to attack. Register for the webinar today!

 
LVL 1

Author Comment

by:ro6ot
ID: 34215240
I've made sure all the plugins are enabled and I verified the root credentials. Something is blocking the scan but I can't figure out what it is.
0
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 34226615
I would use tcpdump to monitor what kind of tests Nessus is running. Missing 263 "Important Security Updates" may just be showing you the difference between security expectations between Linux and Windows.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 34227107
If I understand correctly, your Nessus installation works as you expect when you scan a windows box, but just doesn't report serious vulnerabilities when directed against  Linux machines. Your concern seems to be that you know the Linux systems aren't up to date w/respect to patches and that you expect Nessus to find vulnerabilities.

The default configuration of a modern Linux installation isn't going to have but a few essential network services enabled (ICMP ECHO, ssh, etc). Those have been pretty secure from network attacks for quite a while, so it isn't overly surprising the Nessus isn't finding serious vulnerabilities. The updates should be applied, but the may cover other that network vulnerabilities of the may apply to services that aren't enabled on your systems.

 
0
 
LVL 1

Author Comment

by:ro6ot
ID: 34227668
jlevie,

Your assumptions are correct. When I run a local check on this Linux system I do not find any high vulnerabilities but I know that it is in fact missing critical patches that the Nessus Ubuntu plugins should detect.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 34229996
But are you running the services that have network vulnerabilities that a patch(s) address? And do you have evidence that the missing patches should be detected by Nessus?
0
 
LVL 1

Accepted Solution

by:
ro6ot earned 0 total points
ID: 34235750
I figured it out with help from the Nessus forums. I needed to escalate privileges with "su" instead of root.
0
 
LVL 1

Author Comment

by:ro6ot
ID: 34242505
ok
0
 
LVL 1

Author Closing Comment

by:ro6ot
ID: 34272903
I found the solution on another discussion group. I posted the solution so it could help others in the future.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
What we learned in Webroot's webinar on multi-vector protection.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question