01 Requirements

Nessus is a true client/server application. The server is always Linux. The client can be linux, windows, or web (on linux). I want to plug Tenable Security for a second. The guys there are great–and have a FANTASTIC client called Lightning (soon to be renamed). However, they have to eat too, so you pay for the goodnessI went with Fedora Core. Some of the best documentation and support can be found with that distro. Debian has ALOT of documentation as well, but well, it’s all about choice, right :) ?

Great thing is that redhat has fixed the download mirror issues. You can actually download all five (5) disks of Fedora Core 5 in pretty short order. So much better than the way it used to be, when you had to search for an open ftp mirror. You’d usually end up on some martian server somewhere that was soooooo very slow… So, get them all, and get them installed. I have a little P4 machine on my test network that seems to run it just fine.

Now, here is an issue. Please help me if you happen to have this info–because I can’t find it. I’ve called around inside Tenable Security and they don’t seem to know specifics either. What is the minimal linux load needed to run Nessus? Obviously, if you are going to put this in a DMZ and run scans into other networks you need a pretty tight box. First rule of securing a server is remove all unnecessary software–minimize the footprint. They can’t exploit a software that isn’t installed. Too bad there’s not a document to answer that question.

Oh well.

Get an OS, and get the Nessus downloads. You’ll need the server install (an RPM in this case). I went with the NessuWX client for Windows. It hasn’t been updated since 2003, unfortunately, but the author has posted the source code–which is a good thing since we’ll probably have to modify it.

You’ll also need to get Nikto (web server vulnerability checker) at the very least. Nessus uses it if it’s there in the path. You can also get THC Hydra (password cracker). However, this did not want to install for me and I didn’t fight it too much since it wasn’t really needed for my purposes.

Obviously, a Windows XP/2003 box is required on which to run the NessusWX client. I also installed mySQL on this box. I grabbed the mySQL essentials, the Administrator client, and the Query Browser.

I think that’s about it–except for a good network switch between the two machines. More on that one later.

Next: Readiness