Openvas 9 on Ubuntu Setup

Sysadmin Ramblings

Basic Installation

  •  Install Ubuntu 16.04LTS

Make sure you update your newly installed system with the latest patches – security updates.

  • sudo apt-get update
  • sudo apt-get upgrade
  • sudo apt-get dist-upgrade

Openvas9 is available as a package for Ubuntu 14.04 and Ubuntu 16.04.

  • sudo add-apt-repository ppa:mrazavi/openvas
  • sudo apt-get update
  • sudo apt-get install openvas9

Follow the prompts and answer yes for redis-server install.
Once installed,  run updates on the NVT to ensure you have the latest vulnerability tests.

  • sudo greenbone-nvt-sync
  • sudo greenbone-scapdata-sync
  • sudo greenbone-certdata-sync

The commands above may take a few minutes to run.  Once complete restart the openvas services to ensure they use the updated tests.

  • sudo /etc/init.d/openvas-manager restart
  • sudo /etc/init.d/openvas-scanner restart

There are additional components required to fully utilise openvas,  the best way to find out what is required is to download and use the openvas check tool.  It can be downloaded here.  Once downloaded run the application

  • ./openvas-check-setup –v9

Once everything has been setup and you now have a fully functioning setup ,you can access the openvas server from your preferred brower @   

  • https://host-ip-address:4000

The default username/password is admin / admin however if the password is somehow set or you need to change the admin password to something more secure (preferable),  use the following command to do so.

  • sudo openvasmd –new-password=my_secure_password –user=admin

In order to run scans and properly identify vulnerabilities on your hosts / networks ,  its best to first setup the necessary credentials.  Go to configuration -> credentails. Click on the star in the top left hand corner to create a new credential.  You will need to setup Windows/SMB as well as Linux credentials for the different hosts within your organization.  Regarding SMB users ive had success with and without the domain name in the username field.

Openvas – SSH Strong Ciphers 

Its best practice to harden your ssh servers and this includes using strong ciphers.  The documentation regarding openvas and strong ciphers or lack thereof threw me for a bit. I couldnt find anything that clearly identified the problem or assisted me in being able to run authenticated tests,  so hopefully this will help you.

Whenever my authenticated checks failed,  I noticed the following errors in my openvassd.messages file. “Failed to set SSH key type ‘ssh-ed25519‘”.
If you view /var/lib/openvas/plugins/ssh_fund.inc it indicates that for ed25519 you need to upgrade to libssh greater than 0.7.

Ubuntu 16.04 uses libssh0.6.3 , to successfully logon to ssh servers using secure ciphers it requires libssh0.7 and greater.  There is a ppa available that upgrades to a later version of libssh, but unfortunately this didnt work for me.  I needed to manually upgrade libssh,  below is the steps i followed.

You need to ensure your system has git,cmake and a few other packages installed.

  • sudo apt-get install git
  • sudo apt-get install build-essential
  • sudo apt-get install cmake
  • sudo apt-get install zlib1g-dev
  • sudo apt-get install libssl-dev

Next install libssh

  • git clone git://git.libssh.org/projects/libssh.git libssh
  • cd libssh
  • mkdir build
  • cd build
  • cmake -DCMAKE_INSTALL_PREFIX=/usr ..
  • make
  • sudo make install

Link the default installed libssh binaries  to the new installed ones

  • cd  /usr/lib/x86_64-linux-gnu
  • rm libssh.so.4
  • rm libssh_threads.so.4
  • ln -s /usr/lib/libssh.so.4 libssh.so.4
  • ln -s /usr/lib/libssh_threads.so.4 libssh_threads.so.4

Restart openvas scanner to ensure it uses the new binaries

  • /etc/init.d/openvas-scanner restart

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: