You can set Nessus to run without listening on any ports, using Unix sockets.
In nessus-core: # ./configure --enable-unix-socket
Kind Rgds,
Paul Rochford
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert Rich
Sent: 21 April 2004 19:32
To: Jay Jacobson
Cc: [EMAIL PROTECTED]
Subject: Re: IPTables and Nessus
While it may go without saying, blocking all IP from everywhere but the
target network will go a long way to reducing the exposure of your
scanning system to the Internet at large. This could be performed using
iptables or a perimeter routing/firewall device between the scanning
host and the target environment.
Running nessusd on one of the Knoppix-based Linux distributions will
start with a fairly secure base and significantly reduce the rebuild
overhead if the system is successfully compromised. Two i know of are
at http://www.localareasecurity.com and http://www.knoppix-std.org. If
running the client locally is possible/acceptable, a USB flash drive
provides convenient nonvolatile storage for plugins, target lists and
scanner output.
Jay Jacobson wrote:
>If your Nessus client is also on the "inside" network, then you can block
>1241/tcp externally, as that is the only port the Nessus server listens
>on accepting connections from Nessus clients.
>
>~Jay
>
>
>
>On Wed, 21 Apr 2004, Michael Scheidell wrote:
>
>
>
>>>Does anyone have an example of an IPTables filtering list under Redhat
>>>that can be used with Nessus.
>>>
>>>I'm sorry if this is a little off topic.
>>>
>>>I have had some problems using Nessus and NAT (for external scans), so
>>>I'm thinking of putting the Nessus scanner on the outside segment of our
>>>network. I would like to setup IPTables so the machine is not completely
>>>vulnerable to the outside.
>>>
>>>
>>allow ip any any?
>>
>>put it on outside interface, start nessus it with -a {ip} option (using
>>inside ip address), MAYBE use -S option with outside ip address.
>>
>>that way, nessus will only be listening on the internal interface.
>>
>>Anything else and you will interfere with nessus
>>
>>
>>
>>
>
>
>
_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus
********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please
notify us immediately at [EMAIL PROTECTED] and delete this E-mail
from your system. Thank you.
It is possible for data transmitted by email to be deliberately or
accidentally corrupted or intercepted. For this reason, where the
communication is by email, the Bank of Ireland Group does not accept
any responsibility for any breach of confidence which may arise
through the use of this medium.
This footnote also confirms that this email message has been swept
for the presence of known computer viruses.
********************************************************************
_______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
