1NESSUSD(8) User Manuals NESSUSD(8)
2
6 nessusd - The server part of the Nessus Security Scanner
7
9 nessusd [-v] [-h] [-c config-file] [-S ip[,ip2,...]] [-a address ] [-p
10 port-number] [-D] [-d] [-R] [-P] [-q]
11
14 The Nessus Security Scanner is a security auditing tool made up of two
15 parts: a server, and a client. The server, nessusd is in charge of the
16 attacks, while the client nessus interfaces with the user.
17 nessusd inspect the remote hosts and attempts to list all the vulnera‐
20 bilities and common misconfigurations that affects them.
21
24 -c <config-file>, --config-file=<config-file>
25 Use the alternate configuration file instead of /etc/nessus/nes‐
26 susd.conf
27 -a <address>, --listen=<address>
30 Tell the server to only listen to connections on the address
31 <address> which is an IP, not a machine name. For instance,
32 "nessusd -a 192.168.1.1" will make nessusd only listen to
33 requests going to 192.168.1.1 This option is useful if you are
34 running nessusd on a gateway and if you don't want people on the
35 outside to connect to your nessusd.
36 -S <ip[,ip2,...]>, --src-ip=<ip[,ip2,...]>
39 Force the source IP of the connections established by Nessus to
40 <ip> checks need to fully establish a connection to the remote
41 host. This option is only useful if you have a multi-homed
42 machine with multiple public IP addresses that you would like to
43 use instead of the default one. Example : nessusd -S
44 192.168.1.1,192.168.1.2,192.168.1.3,192.168.1.4 will make nes‐
45 susd establish connections with a source IP of one among those
46 listed above. For this setup to work, the host running nessusd
47 should have multiple NICs with these IP addresses set.
48 -p <port-number>, --port=<port-number>
51 Tell the server to listen on connection on the port <port-num‐
52 ber> rather than listening on port 1241 (default).
53 -D, --background
56 Make the server run in background (daemon mode)
57 -q, --quiet
60 Prevent the server from printing the loading status of the plug‐
61 ins at startup
62 -d, --dump-cfg
65 Make the server dumps its compilation options
66 -v, --version
69 Writes the version number and exits
70 -R, --recompile
73 Compiles every .nasl plugin as a binary file and exits.
74 -h, --help
77 Show a summary of the commands
78
81 The default nessusd configuration file, /etc/nessus/nessusd.conf con‐
82 tains these options:
83 plugins_folder
86 Contains the location of the plugins folder. This is usually
87 /var/lib/nessus/plugins, but you may change this.
88 logfile
90 path to the logfile. if you want the nessusd logs to be written
91 on stderr. Because nessusd is a sensitive program, you should
92 keep your logs.
93 max_hosts
96 is maximum number of hosts to test at the same time which should
97 be given to the client (which can override it). This value must
98 be computed given your bandwidth, the number of hosts you want
99 to test, your amount of memory and the horsepower of your pro‐
100 cessor(s).
101 max_checks
104 is the number of plugins that will run against each host being
105 tested. Note that the total number of process will be max_checks
106 x max_hosts so you need to find a balance between these two
107 options. Note that launching too many plugins at the same time
108 may disable the remote host, either temporarily (ie: inetd
109 closes its ports) or definitely (the remote host crash because
110 it is asked to do too many things at the same time), so be care‐
111 ful.
112 be_nice
115 If this option is set to 'yes', then each child forked by nes‐
116 susd will nice(2) itself to a very low priority. This may speed
117 up your scan as the main nessusd process will be able to con‐
118 tinue to spew processes, and this guarantees that nessusd does
119 not deprives other important processes from their resources.
120 log_whole_attack
123 If this option is set to 'yes', nessusd will store the name,
124 pid, date and target of each plugin launched. This is helpful
125 for monitoring and debugging purpose, however this option might
126 make nessusd fill your disk rather quickly.
127 log_plugins_name_at_load
130 If this option is set to 'yes', nessusd will log the name of
131 each plugin being loaded at startup, or each time it receives
132 the HUP signal.
133 dumpfile
136 Some plugins might issue messages, most of the time to inform
137 you that something went wrong. If you want to read these mes‐
138 sages, set this value to a given file name. If you want to save
139 space, set this option value to /dev/null
140 cgi_path
143 By default, nessusd looks for default CGIs in /cgi-bin and
144 /scripts. You may change these to something else to reflect the
145 policy of your site. The syntax of this option is the same as
146 the shell $PATH variable: path1:path2:...
147 port_range
150 This is the default range of ports that the scanner plugins will
151 probe. The syntax of this option is flexible, it can be a single
152 range ("1-1500"), several ports ("21,23,80"), several ranges of
153 ports ("1-1500,32000-33000"). Note that you can specify UDP and
154 TCP ports by prefixing each range by T or U. For instance, the
155 following range will make nessusd scan UDP ports 1 to 1024 and
156 TCP ports 1 to 65535 : "T:1-65535,U:1-1024".
157 optimize_test
160 By default, nessusd does not trust the remote host banners. It
161 means that it will check a webserver claiming to be IIS for
162 Apache flaws, and so on. This behavior might generate false pos‐
163 itive and will slow the scan down somehow. If you are sure the
164 banners of the remote host have not been tampered with, you can
165 safely enable this option, which will force the plugins to per‐
166 form their job only against the services they have been designed
167 to check.
168 checks_read_timeout
171 Number of seconds that the security checks will wait for when
172 doing a recv(). You should increase this value if you are run‐
173 ning nessusd across a slow network slink (testing a host via a
174 dialup connection for instance)
175 non_simult_ports
178 Some services (in particular SMB) do not appreciate multiple
179 connections at the same time coming from the same host. This
180 option allows you to prevent nessusd to make two connections on
181 the same given ports at the same time. The syntax of this option
182 is "port1[, port2....]". Note that you can use the KB notation
183 of nessusd to designate a service formally. Ex: "139, Ser‐
184 vices/www", will prevent nessusd from making two connections at
185 the same time on port 139 and on every port which hosts a web
186 server.
187 plugins_timeout
190 This is the maximum lifetime, in seconds of a plugin. It may
191 happen that some plugins are slow because of the way they are
192 written or the way the remote server behaves. This option allows
193 you to make sure your scan is never caught in an endless loop
194 because of a non-finishing plugin.
195 safe_checks
198 Most of the time, nessusd attempts to reproduce an exceptional
199 condition to determine if the remote services are vulnerable to
200 certain flaws. This includes the reproduction of buffer over‐
201 flows or format strings, which may make the remote server crash.
202 If you set this option to 'yes', nessusd will disable the plug‐
203 ins which have the potential to crash the remote services, and
204 will at the same time make several checks rely on the banner of
205 the service tested instead of its behavior towards a certain
206 input. This reduces false positives and makes nessusd nicer
207 towards your network, however this may make you miss important
208 vulnerabilities (as a vulnerability affecting a given service
209 may also affect another one).
210 auto_enable_dependencies
213 Nessus plugins use the result of each other to execute their
214 job. For instance, a plugin which logs into the remote SMB reg‐
215 istry will need the results of the plugin which finds the SMB
216 name of the remote host and the results of the plugin which
217 attempts to log into the remote host. If you want to only select
218 a subset of the plugins available, tracking the dependencies can
219 quickly become tiresome. If you set this option to 'yes', nes‐
220 susd will automatically enable the plugins that are depended on.
221 use_mac_addr
224 Set this option to 'yes' if you are testing your local network
225 and each local host has a dynamic IP address (affected by DHCP
226 or BOOTP), and all the tested hosts will be referred to by their
227 MAC address.
228 plugin_upload
231 Set this option to 'yes' if you want to let nessusd users upload
232 their own plugins. Note that the plugins they will upload will
233 end up in their nessusd home directory, so they won't be shared
234 among users (except if the user who uploads the plugins is the
235 one declared in the option 'admin_user'
236 admin_user
239 The user listed in this option will upload his plugins into the
240 global nessus plugins directory, and they will be shared by
241 every other users
242 rules path to the rules database
246 The other options in this file can usually be redefined by the
248 client.
249
252 The utility nessus-adduser(8) creates new nessusd users. Each nessusd
253 user is attributed a "home", in @NESSUS_STATEDIR@/users/<username>.
254 This home contains the following directories :
255 auth/ This directory contains the authentification information for
257 this user. It might contain the file 'dname' if the user is
258 authenticating using a certificate, or 'hash' (or 'passwd') if
259 the user is authenticating using a password. The file 'hash'
260 contains a MD5 hash of the user password, as well as a random
261 seed. The file 'password' should contain the password in clear
262 text.
263 This directory also contains the file 'rules' which contains the
265 rules which apply to this user.
266 The content of this directory can not be altered by the user in
268 any way whatsoever
269 kbs/ This directory contains the knowledge base (KB) of each host
272 tested by this user, if the user has enable the option
273 'save_kb'.
274 sessions/
277 This directory contains the list and contents of the sessions
279 done by this user.
280 plugins/
283 This directory contains the plugins this user uploaded.
284 When a user attempts to log in, nessusd first checks that the
288 directory @NESSUS_STATEDIR@/users/<username> exists, then hashes
289 the password sent by the user with the random salt found in
290 <username>/auth/hash, and compares it with the password hash
291 stored in the same file. If the users authenticates using a cer‐
292 tificate, then nessusd checks that the certificate has been
293 signed by a recognized authority, and makes sure that the dname
294 of the certificate shown by the user is the same as the one in
295 <username>/dname.
296 To remove a given user, use the command nessus-rmuser(8).
299
302 A rule has always the same format which is:
303 keyword IP/mask
304 Keyword is one of reject , accept or default
307 In addition to this, the IP address may be preceded by an exclamation
309 mark (!) which means: “not” There are three sources of rules:
310 · the rules database, which applies to every users
313 · the users database rules, which applies to one user
315 · the users rules, defined by the user in the client
317 You must know that there is a priority in the rules: the user
319 can not extend its privileges, but can only lower them. (that
320 it, it can only restrict the set of hosts he is allowed to
321 test).
322
325 The rules database contains the system-wide rules, which applies for
326 every user. Its syntax has been defined in the previous section. Exam‐
327 ple:
328 accept 127.0.0.0/8
330 reject 192.168.1.1/32
331 reject !192.168.0.0/16
332 default reject
333 This allows the user to test localhost, and all the hosts on
335 192.168.0.0/16, except 192.168.1.1/32.
336 The rules accept the special keyword client_ip which is replaced, at
337 connection time, by the IP of the user who logs in. If you want every‐
338 one to test his own box only, then you can do:
339 accept client_ip/32
341 default reject
342
345 Bear in mind that Nessus can be quite network intensive. Even if the
346 Nessus developers have taken every effor to avoid packet loss (includ‐
347 ing transparently resending UDP packets, waiting for data to be
348 received in TCP connections, etc.) so bandwidth use should always be
349 closely monitored, with current server hardware, bandwidth is usually
350 the bottleneck in a Nessus scan. It might not became too aparent in the
351 final reports, scanners will still run, holes might be detected, but
352 you will risk to run into false negatives (i.e. Nessus will not report
353 a security hole that is present in a remote host)
354 Users might need to tune Nessus configuration if running the server in
356 low bandwidth conditions (low being 'less bandwidth that the one your
357 hardware system can produce) or otherwise will get erratic results.
358 There are several parameters that can be modified to reduce network
359 load:
360 checks_read_timeout
363 (Introduced in Nessus 0.99.4) The default value is set to 5 sec‐
364 onds, that can (should) be increased if network bandwidth is low
365 in the nessus.conf or nessusrc configuration files. Notice that
366 it is recommended to increase this this value, if you are run‐
367 ning a test outside your LAN (i.e. to Internet hosts through an
368 Internet connection), to over 10 seconds.
369 max_hosts
372 Number of hosts to test at the same time (this value is set by
373 the Nessus GUI client or by .nessusrc) it can be as low as you
374 want it to be (obviously 1 is the minimum)
375 max_checks
378 Number of checkst to test at the same time (this value is also
379 set by the Nessus GUI client or by .nessusrc ) it can be as low
380 as you want it to be and it will also reduce network load and
381 improve performance (obviously 1 is the minimum) Notice that the
382 Nessus server will spawn max_hosts * max_checks processes.
383 Other options might be using the QoS features offered by your
385 server operating system or your network to improve the bandwidth
386 use.
387 It is not easy to give a bandwidth estimate for a Nessus run,
389 you will probably need to make your own counts. However, assum‐
390 ing you test 65536 TCP ports. This will require at least a sin‐
391 gle packet per port that is at least 40 bytes large. Add 14
392 bytes for the ethernet header and you will send 65536 * (40 +
393 14) = 3670016 bytes. So for just probing all TCP ports we may
394 need a multitude of this as nmap will try to resend the packets
395 twice if no response is received.
396 A very rough estimate is that a full scan for UDP, TCP and RPC
398 as well as all NASL scripts may result in 8 to 32 MB wrth of
399 traffic per scanned host. Reducing the amount of tested part
400 and such will reduce the amout of data to be transfered signifi‐
401 cantly.
402
405 nessus(1), nessus-adduser(8), nessus-rmuser(8), nessus-mkcert(8)
406
409 The canonical places where you will find more information about the
410 Nessus project are:
411 http://www.nessus.org/ ⟨⟩ (Official site)
413 http://cvs.nessus.org/ ⟨⟩ (Developers site)
414 http://list.nessus.org/ ⟨⟩ (Mailing lists)
415
418 nessusd was written by Renaud Deraison <deraison@cvs.nessus.org>
419The Nessus Project February 2004 NESSUSD(8)