5
2
I need to connect to my OpenVAS from the Internet to conduct penetration tests.
I didn't found any way to make it permanently listen on the external interface: openvas-start causes it to listen on 127.0.0.1.
I already tried to modify the configuration files, but it seems either I'm doing it wrong or something is overriding configurations when it starts.
Any help would be appreciated.
P.S: I'm using Kali 2.0.
Sam
Posted 2015-09-23T09:13:43.570
Reputation: 435
14
Since we're on systemd, you actually need to modify 3 .service files:
cd /lib/systemd/system
Files are: greenbone-security-assistant.service, openvas-manager.service and openvas-scanner.service.
To make it quick you may want to use sed. This line will replace all 127.0.0.1 to 0.0.0.0 which will allow all services be avaliable on all interfaces. You should replace 0.0.0.0 to the address of your choice.
sed -e 's/127.0.0.1/0.0.0.0/g' greenbone-security-assistant.service openvas-manager.service openvas-scanner.service
Verify, that all will be done as you want. If you're happy with the changes, just add -i to the end of previous command.
sed -e 's/127.0.0.1/0.0.0.0/g' greenbone-security-assistant.service openvas-manager.service openvas-scanner.service -i
Lastly you need to reload daemons, since you've made changes to files and restart services.
systemctl daemon-reload
systemctl restart greenbone-security-assistant.service openvas-manager.service openvas-scanner.service
Verify, that all services are listening on desired host:
ss -nalt
If restarting sevices didn't work, try to restart server itself.
Tim Rain
Posted 2015-09-23T09:13:43.570
Reputation: 156
This was the answer for me. New version of Kali Linux since the openvas services have been added to systemd. – jmreicha – 2016-04-16T22:53:12.053
7
Guru Murthy
Posted 2015-09-23T09:13:43.570
Reputation: 71
2
There is much more simple solution. You can redirect external ip port to localhost using firewall. Assuming that Your's server external IP is 10.0.0.10:
sysctl -w net.ipv4.conf.eth0.route_localnet=1
iptables -t nat -A PREROUTING -p tcp -d 10.0.0.10 --dport 443 -j DNAT --to-destination 127.0.0.1:9392
That's all, now connect to https://10.0.0.10
I also tried to edit configuration IPs but there are in many places and seem to break OMP authorization. This solution was tested with latest Kali/OpenVAS (2016.09).
mike
Posted 2015-09-23T09:13:43.570
Reputation: 131
1
Quoting the openvasd man page:
-a , --listen= Tell the server to only listen to connections on the address which is an IP, not a machine name. For instance, "openvasd -a 192.168.1.1" will make openvasd only listen to requests going to 192.168.1.1 This option is useful if you are running openvasd on a gateway and if you don't want people on the outside to connect to your openvasd.
You can append this option in the startup script located in /etc/init.d/openvas-scanner in the DAEMONOPTS constant.
davidb
Posted 2015-09-23T09:13:43.570
Reputation: 166
added DAEMONOPTS="--listen=0.0.0.0" but netstat -na still shows Local Address 127.0.0.1:9390 127.0.0.1:9391 127.0.0.1:9392 – Sam – 2015-09-23T12:47:11.357
Did you restart the daemon? – None – 2015-09-23T12:47:45.360
I ran openvas-stop then openvas-start respectively. – Sam – 2015-09-23T12:48:10.907
Also why didn't you specify the external address explicitly? – None – 2015-09-23T12:48:19.950
Run /etc/init.d/openvas-scanner restart – None – 2015-09-23T12:48:53.223
I just tried this method but it doesn't seem to work. OpenVAS still seems to be binding to 127.0.0.1 instead of the public interface. – jmreicha – 2016-04-05T02:11:22.300
Are you talking about OpenVAS iself or the management interface? – davidb – 2016-04-05T05:44:24.210
I tried both. FWIW I gave up and just downloaded the appliance which seems to be working. – jmreicha – 2016-04-06T05:33:23.717
is there a way how can I make this change permanent ? I mean if I run "gsad --listen=0.0.0.0" and then start openvas, I can reach it locally and externally. I couldnt find a config file where I can add this. /etc/default/greenbone-security-assistant or /etc/systemd/system/greenbone-security-assistant.service.d/local.conf didn't help me .. – mauek unak – 2017-06-20T11:37:28.643
0
Edit /etc/default/greenbone-security-assistant:
Change 127.0.0.1 to your IP
GSA_ADDRESS=your_server_IP_address
Then, restart the services:
root@tiger:/home/fw# ps aux | grep openvassd | grep -v grep
root 8918 2.6 1.2 138644 12212 ? Ss 17:31 2:25 openvassd: Waiting for incoming connections
root@tiger:/home/fw#
root@tiger:/home/fw# killall openvassd
root@tiger:/home/fw#
root@tiger:/home/fw# ps aux | grep openvassd | grep -v grep
root@tiger:/home/fw#
root@tiger:/home/fw# service openvas-scanner start
root@tiger:/home/fw# service openvas-manager start
root@tiger:/home/fw# service greenbone-security-assistant restart
root@tiger:/home/fw#
root@tiger:/home/fw# ps aux | grep openvassd | grep -v grep
root 9681 39.4 1.3 123836 13476 ? Ds 19:02 0:02 openvassd: Reloaded 7750 of 46062 NVTs (16% / ETA: 00:19)
root 9682 0.0 0.1 114564 1528 ? S 19:02 0:00 openvassd (Loading Handler)
root@tiger:/home/fw#
Try to access it from outside https://ip:9392
firewallengineer
Posted 2015-09-23T09:13:43.570
Reputation: 1
I just tried this method but it doesn't seem to work. OpenVAS still seems to be binding to 127.0.0.1 instead of the public interface. – jmreicha – 2016-04-05T02:11:00.550
0
Oddly, I used both Firewallengineer and Tim Rain's answers and that solved my issue. I did notice that for whatever reason in /lib/systemd/system I had to put --allow-header-host myserver.mycompany.com athe the end of the ExactStart line.
In /etc/default/greenbone-security-assistant I had to set the GSA_Address as the server address. This is what worked for me. I also had to access the server as myserver.mycompany.com:9392/omp, as just myserver.mycompany.com would not resolve. I understand my company's DNS needs a cleaning but I don;t have the time to fix that. Thank you both for your information, it saved me a lot of time and taught me quite a bit too.
Hopefully this helps someone.
silentsteve
Posted 2015-09-23T09:13:43.570
Reputation: 1
Not funny. Product-specific configuration questions are off-topic because they either belong on the vendors support page or the answers are in the manual. You also do not include any data on what configurations you tried or what errors or effects you were experiencing. – schroeder – 2015-09-23T22:40:32.393