Is there a guide for installing/configuring nessus from the RPMs? I want to install it behind my firewall so only I can use it. I tried to do the source install and it went hopelessly wrong. The RPM's work fine, I just can't figure out how to set it up.

Are the plugins for it current as I want to see if some dumd@$$ script kiddie can hack me.

Thanks,
Falcon

I used www.vulnerabilities.org's (http://www.vulnerabilities.org's) web-based nessus scanner to scan my system. I found one hole (so far). It said:


Vulnerability found on port http (80/tcp)

It was possible to make the remote switch reboot by requesting :

GET /cgi-bin/view-source?/

An attacker may use this flaw to prevent your network from working
properly.

Solution : see http://www.cisco.com/warp/public/707/httpserverquery-pub.shtml
See also : BID 1838
Risk factor : High


I don't have a cisco router at my house, so I'm not sure what the problem is, how can I fix it?

Also, it said
Warning found on port general/icmp

The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.

This may help him to defeat all your
time based authentifications protocols.

Solution : filter out the icmp timestamp
requests (13), and the outgoing icmp
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524



How do I fix this?

Also, it said the following about my apache banner:

The remote web server type is :
Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01

We recommend that you configure your web server to return
bogus versions, so that it makes the cracker job more difficult

How do I fake that? What should I fake it to?

Thanks a lot again,
Falcon

Common, someone help me out here.

It was possible to make the remote switch reboot by requesting :

GET /cgi-bin/view-source?/

I don't know about this exploit specifically, but it's a very good idea to clear EVERYTHING out of your cgi-bin directory, and then just put things in as you need them. Having a lot of CGI scripts on your web server that you didn't put there is asking for trouble.


The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.


I think it's a stretch to call this a security vulnerability, but you can block unwanted ICMP connections at your firewall if you want to.

Here's what I do about ICMP in my iptables firewall:

#Allow destination unreachable, etc. out, to be polite
iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT
#Allow echos out, for pings and replies
iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT

#Allow traceroute replies in
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT

#Allow echos in, for pings and replies
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

#Block all other ICMP
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j REJECT

It's those last two lines that'll block ICMP timestaps, along with any other types of ICMP the previous lines didn't allow.

I think this breaks some RFCs, so if you care about that sort of thing, don't bother.

We recommend that you configure your web server to return
bogus versions, so that it makes the cracker job more difficult

I wouldn't. You've heard that security through obscurity is no security at all, but although obscurity in and of itself isn't a bad thing, I think it's a bit silly to go obscuring ports. Script kiddies won't bother checking your banner, and more intelligent intruders won't need to. It's much better to make sure you're running the latest version of Apache, and upgrading to a patched version as soon as any security flaws are discovered, than to run an old, insecure version and try to "keep the bad guys from finding out."