Tip

How to install and configure Nessus

If you've been around the information security profession for any length of time, you probably have at least a passing familiarity with the Nessus vulnerability scanner. In this, the first of a series of three Nessus tips, we'll provide you with an introduction to this popular security tool and give you the information you need to install and configure your own Nessus deployment.

Nessus is a member of the family of security tools known as vulnerability scanners. As the name implies, these products scan the network for potential security risks and provide detailed reporting that enables you to remediate gaps in your security posture. These scans run using a client/server architecture, so let's discuss both pieces of that architecture.

The scan engine is available for Linux/Unix systems only (sorry Microsoft fans!). Installation is actually quite simple. If you have the Lynx HTTP browser on your system, simply run the command:

prompt$ lynx –source http://install.nessus.org | sh

This command downloads the Nessus installation script and executes it on your system. Note that the "prompt$" prompt indicates that you should run this command from a normal user account and not with root privileges. If you'd like, you may

Requires Free Membership to View

review the script before executing it on your system. Alternatively, you may build and compile Nessus manually by downloading the source code and compiling it.

Once you've completed the installation, you need to complete three steps to get up and running:

  1. Start the Nessus scan server by running the command "nessusd&"
  2. Add a Nessus user to your system by executing "nessus –adduser"
  3. Start the Nessus client and explore away!

If you'd like to run the Nessus client on a system other than the one you installed the server on, you're free to do so. You may download the NessusClient GUI for Unix systems or the NessusWX client for Windows systems from the Nessus download page. Once you've installed your client, simply point it at the IP address of your Nessus server and connect using the username and password you created in step two above.

The Nessus project began as an open-source community project more than seven years ago. While the basic Unix/Linux scanner is still freely available, many elements of the Nessus line are going commercial. Tenable Security, the current custodians of Nessus, also produce NeWT, a Windows version that uses the wizard-based installation and GUI familiar to Windows users. A free version (limited to scanning hosts on the same Class C subnet as the scanning system) is available for download from Tenable.

One last word of wisdom: the Nessus plug-ins (the scripts that provide the scanning functionality of Nessus) change frequently. Be sure to update your plug-ins from the official site on a regular basis using the "nessus-update-plugins" command on the Nessus server.

Our next tip will explore using Nessus to conduct vulnerability scans, and we'll wrap up the series with a look at deploying Nessus as part of an enterprise vulnerability scanning program.


NESSUS TUTORIAL

  Introduction: What is Nessus?
  How to install and configure Nessus
  How to run a system scan
  How to build an enterprise scanning program
  Nessus: Managing data
  How to simplify security scans
  How to use Nessus with the SANS Top 20

ABOUT THE AUTHOR:
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.


This was first published in January 2006

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.