Posted inSecurity

How to Install and Use OpenVAS (Greenbone) for Linux Server Vulnerability Scanning

Security tutorial - IT technology blog
Security tutorial - IT technology blog

Protecting servers from cyberattacks is always a top priority. Even if you’ve installed firewalls, use VPNs, or encrypt data, do you truly know if your server still has vulnerabilities that malicious actors could exploit?

Just as regular health check-ups help detect diseases early, your Linux server also needs frequent ‘health checks’. This is where vulnerability scanning tools become essential. In this article, I will guide you through installing and using OpenVAS – a powerful open-source tool, now officially known as Greenbone Vulnerability Management (GVM).

Quick Start: Install and Run OpenVAS (GVM) in 5 Minutes (on Ubuntu 22.04/20.04)

You’re probably eager to get hands-on. Here are the basic steps to install GVM and access its web interface in just a few minutes. Although the process of updating the vulnerability database (Feed) can take a considerable amount of time, you can still begin configuration immediately after installation.

First, ensure your Ubuntu server is up to date:

sudo apt update
sudo apt upgrade -y

Next, install the GVM (Greenbone Vulnerability Management) package:

sudo apt install gvm -y

Once the installation is complete, you need to run the initial setup command. This command downloads the necessary feeds, creates an administrative account, and configures other GVM components. This process can take anywhere from a few minutes to tens of minutes, depending on your network speed.

sudo gvm-setup

During this process, the system will automatically create a default administrator (admin) account and display its password. Make sure to record this password carefully! This is crucial login information for you to access the GVM web interface.

To enhance security, when creating passwords for important accounts, I often use a password generator at toolcraft.app/en/tools/security/password-generator. This tool helps create strong and secure passwords, and since it runs 100% in the browser, I don’t worry about passwords being exposed over the network.

After gvm-setup completes, you can start the GVM service:

sudo gvm-start

Now, you can access the Greenbone Security Assistant (GSA) web interface via your browser at:

https://<YOUR_SERVER_IP>:9392

If installing on a virtual machine or a server with a graphical user interface (GUI) and accessing directly, you can use https://127.0.0.1:9392. Your browser will display a warning about the SSL certificate. This is a self-signed certificate generated by GVM and is completely normal in this case. You just need to select Advanced or Proceed anyway (depending on your browser) to continue. Afterward, use the admin account and password created during the gvm-setup step to log in. Congratulations, you have successfully installed GVM!

Detailed Explanation: What is OpenVAS (Greenbone) and Why Do You Need It?

What is OpenVAS? (Now Greenbone Vulnerability Management – GVM)

Initially, OpenVAS (Open Vulnerability Assessment System) was an open-source fork of Nessus, created after Nessus transitioned to a commercial model. Over time, the project was developed and managed by Greenbone Networks, and is now officially known as Greenbone Vulnerability Management (GVM). Despite this, many users still commonly refer to it as OpenVAS.

GVM is not just a standalone scanning tool but a comprehensive framework comprising several components:

  • Greenbone Security Assistant (GSA): The web user interface for managing and configuring scan tasks and viewing reports.
  • OpenVAS Scanner: The component that performs the actual scanning, using plugins (NVTs) to detect vulnerabilities.
  • Greenbone Vulnerability Manager (GVMd): The central manager, coordinating scan tasks and storing data.
  • Greenbone Security Feed: A database containing continuously updated vulnerability information (NVTs, SCAP, CERT).

Why Do Linux Servers Need Vulnerability Scanning?

You might think that you’ve meticulously configured your server and always use the latest software, so how could there be vulnerabilities? However, the reality is not that simple. Security vulnerabilities can arise for various reasons:

  • Software Bugs: No software is perfect. Developers constantly discover and patch bugs, but hackers are also continuously searching for them.
  • Misconfigurations: Sometimes, vulnerabilities aren’t in the software itself but in how we configure it (e.g., opening unnecessary ports, using weak passwords, overly broad access permissions).
  • Outdated Software: Forgetting to update a particular software package can open the door to known and publicly disclosed vulnerabilities.
  • Zero-day Exploits: These are vulnerabilities not yet publicly known, but hackers might already be exploiting them. While GVM cannot immediately detect zero-days, regular scanning helps you stay updated on the latest publicly disclosed vulnerabilities.

Regular vulnerability scanning helps you proactively detect and fix weaknesses **before** attackers can exploit them. This is similar to regularly checking your house’s locks and windows to ensure security.

Differences Between OpenVAS and Other Tools (Lynis, Suricata)

In reality, many people often confuse the functions of different security tools. GVM has a distinct role compared to the tools I’ve introduced previously:

  • Lynis: An system auditing tool. It checks system configurations, software installations, kernel, and file permissions to find configuration weaknesses. Lynis focuses on whether the system is configured according to security best practices.
  • Suricata: An intrusion detection and prevention system (IDS/IPS). It monitors network traffic in real-time to detect suspicious activities or ongoing attacks. Suricata focuses on detecting and responding to immediate threats.
  • OpenVAS (GVM): A vulnerability scanning tool. It actively sends requests to target servers, analyzing responses to find known vulnerabilities in running software and services. GVM focuses on finding existing weaknesses before they are exploited.

In summary, these tools complement each other, with each addressing a different aspect of server security.

Detailed Installation and Initial Configuration (Ubuntu 22.04/20.04)

System Requirements

GVM is a resource-intensive tool, especially regarding RAM and disk space, due to the large size of its Feeds. I recommend the following configuration:

  • RAM: Minimum 4GB, preferably 8GB or more.
  • CPU: 2 cores or more.
  • Disk Space: Minimum 50GB, preferably 100GB or more (for Feeds and scan results).

You should install GVM on a dedicated server, not one running other critical services, to avoid performance impacts.

Step 1: Update System and Install GVM

I’ve already covered these steps in the Quick Start section. It’s important to understand what gvm-setup does:

  • Downloads and updates Greenbone Feeds (NVT, SCAP, CERT). This is the most time-consuming step initially.
  • Initializes the database.
  • Creates a default administrator account and displays the password.
  • Configures GVM components so they can communicate with each other.

Step 2: Update Feeds (NVT, SCAP, CERT)

The Greenbone Feed is the heart of GVM. It contains Network Vulnerability Tests (NVTs), information on standard security configurations (SCAP), and security advisories (CERT). To ensure GVM can always detect the latest vulnerabilities, regular feed updates are mandatory.

You can check the update status of the Feeds via the GSA interface (Administration -> Feed Status). If a manual update is needed, you can run:

sudo gvm-feed-update

This command will download the latest updates for all Feeds. This process also takes time and requires a stable internet connection.

Step 3: Access the GSA Web Interface

After GVM has started (by running sudo gvm-start), open your browser and navigate to https://<YOUR_SERVER_IP>:9392.

Your browser will display a warning about the SSL certificate. This is a self-signed certificate generated by GVM and is completely normal in this case. You just need to select Advanced or Proceed anyway (depending on your browser) to continue.

Log in using the admin account and password created during the gvm-setup step. After logging in, you will see the GSA Dashboard, which provides an overview of vulnerabilities and scan tasks.

Using OpenVAS (Greenbone) for Vulnerability Scanning

Now let’s move on to the main part: creating and running a scan task.

GSA Interface Overview

The GSA interface is quite intuitive:

  • Dashboard: Overview of results and status.
  • Scans: Manage scan tasks (Tasks), scan results (Reports), schedules.
  • Assets: Manage scan targets (Hosts), Credentials (login information).
  • Configuration: Configure Scanners, Scan Profiles (Scan Configs), Port lists, etc.
  • Administration: Manage users, Feed Status, Logs.

Step 1: Add a Target (Scan Target)

Before scanning, you need to tell GVM which server you want to scan.

  1. Go to Assets -> Hosts.
  2. Select the star icon (New Host) or New Target (depending on the version).
  3. Fill in the following information:
    • Name: A memorable name for this target (e.g., My_Web_Server).
    • Hosts: The IP address of the Linux server you want to scan (e.g., 192.168.1.100). You can add multiple IPs, IP ranges (192.168.1.100-192.168.1.150), or CIDR (192.168.1.0/24).
    • Other options such as Port list, SSH Credential (if you want to perform a deeper scan, I will discuss this in the advanced section).
  4. Click Save.

Step 2: Create a Scan Task

Once you have a target, we will create a scan task.

  1. Go to Scans -> Tasks.
  2. Select the star icon (New Task).
  3. Fill in the important information:
    • Name: The name of the scan task (e.g., Scan_My_Web_Server_Weekly).
    • Scan Target: Select the target you created in the previous step.
    • Scanner: Default is OpenVAS Scanner.
    • Scan Config: This is the scan profile. For the first time, you can choose:
      • Full and fast ultimate: Comprehensive scan but optimized for speed.
      • Full and deep ultimate: Deeper scan but takes more time.
    • You can also configure a schedule for automatic scanning (e.g., weekly, monthly).
  4. Click Save.

Step 3: Run Scan and View Results

Now, you are ready to scan:

  1. In the Scans -> Tasks list, find the task you just created.
  2. Click the Start icon (green arrow).
  3. The task status will change from New to Requested, then Running.
  4. The scanning process can take from a few minutes to several hours, depending on the number of IPs, scan configuration, and your GVM server’s performance.
  5. Once the scan is complete, the status will be Done. You can click on the task name or the Report icon (paper icon) to view the results.

In the report, you will see a list of vulnerabilities categorized by severity (Critical, High, Medium, Low). Prioritize addressing Critical and High vulnerabilities first.

Each vulnerability will have detailed information:

  • Vulnerability: Name of the vulnerability.
  • CVE ID: Common identifier for the vulnerability (important for searching for information).
  • Summary: Brief description of the vulnerability.
  • Solution: Remediation instructions (often involves updating software, changing configurations).

Advanced Features and Practical Tips

Scanning with Credentials (Login Information)

For GVM to perform a deeper scan into the Linux server, you should provide SSH login credentials. This allows GVM to check installed software packages, versions, and internal system configurations, thereby detecting vulnerabilities that external scans cannot see.

  1. Go to Configuration -> Credentials and create a new SSH credential.
  2. When creating a Target, select this credential.

Note: Always create an SSH account with read-only or minimal privileges for scanning purposes to ensure security.

Creating Custom Scan Configurations

If you want more granular control over the scanning process, you can create a custom Scan Configuration:

  1. Go to Configuration -> Scan Configs.
  2. Select New Scan Config.
  3. You can select specific NVTs to scan, exclude unnecessary NVTs, or only scan certain ports. This helps reduce scan time and resource consumption.

Scheduling Automatic Scans

Manual scanning can easily be forgotten. Take advantage of GVM’s scheduling feature:

  1. When creating or editing a Scan Task, you can select the Schedule option.
  2. Set the scan frequency (daily, weekly, monthly) and specific time.

This ensures your server is regularly checked without manual intervention.

Handling Scan Results

Scanning is only the first step; the most important thing is to act on the results:

  • Prioritize: Focus on vulnerabilities with Critical and High severity first.
  • Research: Use the CVE ID to find more detailed information about the vulnerability and remediation steps from the software vendor or public security databases.
  • Remediate: Update software, patch bugs, change configurations, close unnecessary ports.
  • Re-scan: After remediation, run another scan task on the same target to confirm that the vulnerability has been successfully patched.

Performance Optimization

GVM can be resource-intensive. To optimize:

  • Dedicated Server: Install GVM on a separate server, not the one you are scanning.
  • Limit Concurrent Scans: If you are scanning multiple servers, limit the number of parallel scan tasks to avoid overload.
  • Increase Resources: If possible, allocate more RAM and CPU to the GVM server.

Regularly Update GVM and Feeds

The security landscape is constantly changing, with new vulnerabilities discovered daily. Therefore, ensuring your GVM is always up-to-date is extremely important:

  • System Update: sudo apt update && sudo apt upgrade -y to update GVM packages.
  • Feed Update: sudo gvm-feed-update to get the latest NVTs. You can also set up a cron job to automatically run this command daily or weekly.

Conclusion

OpenVAS (Greenbone Vulnerability Management) is an extremely useful tool that helps you proactively protect your Linux server. By regularly scanning for vulnerabilities, you can timely detect and fix weaknesses, preventing them from being exploited by attackers.

Security is not a one-time task but an ongoing process. Make vulnerability scanning an essential element of your server management routine. Start today to better protect your system!

Share:
Tags: