Posted inSecurity

Mastering OpenVAS/Greenbone: A Practical Guide to Vulnerability Management

Security tutorial - IT technology blog
Security tutorial - IT technology blog

Problem Statement: Unseen Vulnerabilities, Real Threats

The internet can feel like a relentless battlefield, with our systems constantly under attack. Threats range from sophisticated nation-state actors to automated bots relentlessly probing for weaknesses. I learned this the hard way when my personal server was hit by SSH brute-force attacks late one night. That chilling experience wasn’t just a wake-up call; it cemented my conviction: prioritize security from the start. Waiting for an incident to happen is simply asking for trouble.

A critical step in securing any system is understanding its weaknesses before attackers can exploit them. Servers, applications, and network devices often contain hidden vulnerabilities. These can become open doors for intruders.

Modern IT environments are incredibly complex, making manual vulnerability discovery an impossible task. We need a systematic, automated way to continuously identify, assess, and manage these security flaws. The real challenge is not just finding them, but doing so comprehensively and efficiently.

Core Concepts: Unveiling OpenVAS/Greenbone

Proactive cybersecurity hinges on having clear visibility into potential attack vectors. This is precisely where vulnerability scanners become essential tools. A vulnerability scanner is an automated system designed to inspect your infrastructure—be it systems, networks, or applications—for known security weaknesses, common misconfigurations, and outdated software. Think of it as a digital detective, actively searching for the weak points in your digital defenses.

This brings us to OpenVAS and Greenbone. OpenVAS (Open Vulnerability Assessment System) started as an open-source initiative. Its goal was to create a comprehensive framework for vulnerability scanning and management. Since then, it has evolved significantly. Greenbone Networks now maintains the core Greenbone Vulnerability Management (GVM) framework. While many still use ‘OpenVAS’ informally, the underlying open-source technology is a key component of the broader GVM ecosystem.

Greenbone provides the GVM framework, which includes several powerful components. The Greenbone Security Assistant (GSA) serves as the intuitive web interface. The Greenbone Vulnerability Scanner (GVMd) is the core scanning engine.

It’s backed by a vast, continuously updated database of Network Vulnerability Tests (NVTs). These NVTs are essentially specialized signatures that the scanner uses to detect tens of thousands of known vulnerabilities. Using OpenVAS/Greenbone offers a comprehensive approach to vulnerability management. It not only identifies issues but also helps you track their remediation, ensuring your systems remain secure over time.

Hands-on Practice: Setting Up and Scanning with OpenVAS/Greenbone

Getting started with OpenVAS/Greenbone might seem intimidating due to its numerous components. Thankfully, Docker has made deployment far more accessible. For this tutorial, we’ll use a Docker Compose setup. This approach orchestrates the various Greenbone services, providing a relatively isolated and straightforward installation process.

First, ensure you have Docker and Docker Compose installed on your Linux machine. If not, here’s how to install them on Ubuntu:

# Update package list and install prerequisites
sudo apt update
sudo apt install -y apt-transport-https ca-certificates curl gnupg lsb-release

# Add Docker's official GPG key
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

# Set up the stable Docker repository
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

# Install Docker Engine components
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io

# Add your user to the 'docker' group to run Docker commands without sudo
sudo usermod -aG docker $USER
# You MUST log out and log back in, or run 'newgrp docker' for this change to take effect.
newgrp docker

# Install Docker Compose (always check GitHub for the absolute latest version if needed)
sudo curl -L "https://github.com/docker/compose/releases/download/v2.24.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

Next, create a file named docker-compose.yml. Populate it with the following content. This configuration sets up all the necessary Greenbone components: Greenbone Vulnerability Manager Daemon (GVMd), Greenbone Security Assistant (GSA – the web UI), the OpenVAS scanner, a PostgreSQL database, and Redis.

# docker-compose.yml
version: "3.8"

services:
  gvmd:
    image: greenbone/gvmd:stable
    volumes:
      - gvmd_data:/var/lib/gvm
    environment:
      # !! IMPORTANT: Replace 'your_admin_password' with a strong, unique password !!
      - GVM_PASSWORD=your_admin_password
    restart: unless-stopped
    depends_on:
      - postgres
      - ospd-openvas

  gsa:
    image: greenbone/gsa:stable
    ports:
      # Maps HTTPS port 443 on your host to HTTP port 80 inside the container
      # Access the web UI via https://localhost or https://your_server_ip
      - "443:80"
    restart: unless-stopped
    depends_on:
      - gvmd

  ospd-openvas:
    image: greenbone/ospd-openvas:stable
    restart: unless-stopped
    volumes:
      - openvas_plugins:/var/lib/openvas/plugins
      - openvas_gnupg:/etc/openvas/gnupg
    depends_on:
      - redis

  postgres:
    image: postgres:13
    environment:
      - POSTGRES_DB=gvmd
      - POSTGRES_USER=gvm
      # !! IMPORTANT: Replace 'your_postgres_password' with a strong, unique password !!
      - POSTGRES_PASSWORD=your_postgres_password
    volumes:
      - postgres_data:/var/lib/postgresql/data
    restart: unless-stopped

  redis:
    image: redis:6-alpine
    restart: unless-stopped

volumes:
  gvmd_data:
  openvas_plugins:
  openvas_gnupg:
  postgres_data:

Critical Security Note: Before proceeding, remember to replace both your_admin_password and your_postgres_password with genuinely strong, unique credentials. Do not use default or weak passwords.

Now, deploy Greenbone by running Docker Compose in detached mode:

docker compose up -d

This command will download the necessary Docker images and launch all the Greenbone components. Be prepared for a wait. The initial setup, especially the synchronization of the Network Vulnerability Tests (NVTs) and the security feed, can take a significant amount of time—often several hours, depending on your internet connection and system resources. You can monitor the progress by checking the logs of the gvmd service:

docker logs -f gvmd

Watch for messages indicating that the feeds are fully updated and the scanner is ready for action.

Once all services are running and synchronized, you can access the Greenbone Security Assistant (GSA) web interface.

Open your web browser and navigate to https://localhost (if running on your local machine) or https://your_server_ip (if on a remote server). You’ll likely encounter a certificate warning because the connection uses a self-signed certificate. For a local setup, you can safely proceed past this warning.

Log in to the GSA using the username admin and the GVM_PASSWORD you specified in your docker-compose.yml file.

Running Your First Scan: A Step-by-Step Guide

  1. Define a Target: Inside the GSA interface, navigate to ConfigurationTargets. Click the “star” icon to create a new target.
    • Give your target a descriptive name (e.g., “MyLocalServer” or “WebFrontend”).
    • Enter the IP address or hostname of the system you wish to scan. For example, use 127.0.0.1 to scan the Docker host itself, or specify another IP on your local network.
    • Select an “Alive Test” method, such as “ARP Ping” or “TCP-ACK Ping”, to ensure the target is reachable.
    • Finally, save your new target.
  2. Create a Task: Next, go to ScansTasks. Click the “star” icon to initiate a new task.
    • Assign a name to your task (e.g., “WeeklyServerAudit”).
    • Choose a “Scan Config” appropriate for your needs. Options include “Full and fast” for a quicker overview or “Full and deep” for a more thorough analysis.
    • Select the “Target” you just created from the dropdown menu.
    • You can either set up a schedule for recurring scans or simply leave it as “Run Once” for an immediate scan.
    • Click “Create” to finalize the task.
  3. Start the Scan: Once the task has been created, locate it in the list and click the “Play” icon next to its name to begin the scan. The task will progress through several states: “Requested,” “Queued,” “Running,” and eventually “Done.” Be aware that comprehensive scans can take a considerable amount of time to complete.

Interpreting Your Results: What to Look For

After the scan status shows “Done,” click on the task’s name within the ScansTasks list to view the detailed report.

The report will provide a prioritized list of discovered vulnerabilities, complete with essential details:

  • Severity: A numerical score, typically from 0 to 10, indicating the potential impact of the vulnerability.
  • Vulnerability Name: A clear, descriptive title for each identified issue.
  • Solution: Concrete recommendations on how to fix the vulnerability.
  • Affected Host: The specific IP address or hostname where the vulnerability was found.

Always prioritize addressing high-severity vulnerabilities first. For every finding, carefully read the provided solution and implement the recommended patches, configuration changes, or software updates.

After you’ve applied a fix, it’s considered best practice to run a follow-up scan. This verifies that the vulnerability has indeed been resolved and that no new issues were introduced. This continuous cycle of scanning, remediating, and verifying forms the bedrock of effective vulnerability management.

Conclusion: Embracing Proactive Security

Ignoring system vulnerabilities is like leaving your front door wide open in a busy city. It’s not a question of *if* someone will find it, but *when*. OpenVAS/Greenbone, with its robust scanning capabilities and extensive NVT database, offers a powerful open-source solution. It helps you identify these critical weaknesses long before they can be exploited by malicious actors.

By integrating OpenVAS/Greenbone into your security workflow, you gain invaluable insight into your system’s overall security posture. This tool empowers you to shift from a reactive stance—constantly patching breaches after they occur—to a proactive one, where you actively strengthen your defenses. Remember, cybersecurity isn’t a one-time setup; it’s an ongoing commitment. Regular scanning and diligent remediation are fundamental practices for maintaining a secure and resilient IT environment.

Share:
Tags: