Tag Archives: security


Openvas installation in CentOS 7

What is Openvas?

OpenVAS (Open Vulnerability Assessment System, originally known as GNessUs) is a software framework of several services and tools offering vulnerability scanning and vulnerability management.

All OpenVAS products are free software, and most components are licensed under the GNU General Public License (GPL). Plugins for OpenVAS are written in the Nessus Attack Scripting Language, NASL.

The primary reason to use this scan type is to perform comprehensive security testing of an IP address. It will initially perform a port scan of an IP address to find open services. Once listening services are discovered they are then tested for known vulnerabilities and misconfiguration using a large database (more than 53000 NVT checks). The results are then compiled into a report with detailed information regarding each vulnerability and notable issues discovered.

Once you receive the results of the tests, you will need to check each finding for relevance and possibly false positives. Any confirmed vulnerabilities should be re-mediated to ensure your systems are not at risk.

Vulnerability scans performed from externally hosted servers give you the same perspective as an attacker. This has the advantage of understanding exactly what is exposed on external-facing services.

Step 1: Disable SELinux


sed -i ‘s/=enforcing/=disabled/’ /etc/selinux/config


and reboot the machine.

Step 2:  Install dependencies


yum -y install wget rsync curl net-tools


Step 3: Install OpenVAS repository

install the official repository so that OpenVAS works appropriately in the analysis of vulnerabilities.


wget -q -O – http://www.atomicorp.com/installers/atomic |sh


Step 4: Install OpenVAS


yum -y install openvas


Step 5: Run OpenVAS

Once OpenVAS is installed, we continue to start it by executing the following command:




Once downloaded it will be necessary to configure the GSAD IP address, Greenbone Security Assistant, which is a web interface to manage system scans.

Step 6: Configure OpenVAS Connectivity

We go to our browser and enter the IP address of the CentOS 7 server where we have installed OpenVAS, and we will see that the following message is displayed:

Openvas dashboard


Automatic NVT Updates With Cron


35 1 * * * /usr/sbin/greenbone-nvt-sync > /dev/null
5 0 * * * /usr/sbin/greenbone-scapdata-sync > /dev/null
5 1 * * * /usr/sbin/greenbone-certdata-sync > /dev/null



How to use ipset command on linux to block bulk IPs

ipset is a companion application for the iptables Linux firewall. It allows you to setup rules to quickly and easily block a set of IP addresses, among other things.


Debian based system

“`# apt install ipset“`

Redhat based system

“`# yum install ipset“`

Blocking a list of network

Start by creating a new “set” of network addresses. This creates a new “hash” set of “net” network addresses named “myset”.

# ipset create myset hash:net


# ipset -N myset nethash

Add any IP address that you’d like to block to the set.

# ipset add myset
# ipset add myset
# ipset add myset
# ipset add myset

Finally, configure iptables to block any address in that set. This command will add a rule to the top of the “INPUT” chain to “-m” match the set named “myset” from ipset (–match-set) when it’s a “src” packet and “DROP”, or block, it.

# iptables -I INPUT -m set --match-set myset src -j DROP

Blocking a list of IP addresses

Start by creating a new “set” of ip addresses. This creates a new “hash” set of “ip” addresses named “myset-ip”.

# ipset create myset-ip hash:ip


# ipset -N myset-ip iphash

Add any IP address that you’d like to block to the set.

# ipset add myset-ip
# ipset add myset-ip

Finally, configure iptables to block any address in that set.

# iptables -I INPUT -m set --match-set myset-ip src -j DROP

Making ipset persistent

The ipset you have created is stored in memory and will be gone after reboot. To make the ipset persistent you have to do the followings:

First save the ipset to /etc/ipset.conf:

# ipset save > /etc/ipset.conf

Then enable ipset.service, which works similarly to iptables.service for restoring iptables rules.

Other Commands

To view the sets:

# ipset list


# ipset -L

To delete a set named “myset”:

# ipset destroy myset


# ipset -X myset

To delete all sets:

# ipset destroy

How to chat securely using Pidgin and OTR

These days surveillance news are coming out frequently. After Snowden’s revelation if you’r suffering from paranoia and want to secure your digital presence, follow this tutorial to communicate securely.

  1. Install Pidgin chat client.
    • for ubuntu –
      apt-get install pidgin
    • for arch linux –
      sudo pacman -S pidgin
    • also you can download it manually from here & then install it as per instructions
  2. Install OTR plugin of Pidgin.
    • for ubuntu –
      apt-get intall pidgin-otr
    • for arch linux –
      sudo pacman -S pidgin-otr
  3. Now start Pidgin. It will show ‘Accounts’ Popup. Click on ‘Add’ button. add
  4. Now you will get ‘Add Account’ popup.
  5. Now configure new account as follows.
    • Tab ‘Basic’
      • Login Options
        • Protocol : XMPP (don’t use ‘Facebook XMPP’)
        • Username: (don’t use a username which will somehow connected to real you)
        • jabber.rayservers.com
        • leave blank
        • enter password you want
      • User Options
        • Local alias : Leave blank
        • New mail notifications : DO NOT check
        • Use this buddy icon : check if you want
        • Create this new account on the server : MUST checkadd-account-1
    • Tab ‘Advanced’
      • Connection security : Require Encryption
      • Allow plaintext auth over unencrypted streams : DO NOT check
      • Connect port : 5222
      • Show Custom Smileys : check
      • Create this new account on the server : MUST check add-account-2
    • Tab ‘Proxy’
      • Proxy type : Use Global Proxy Settings
      • Create this new account on the server : MUST check add-account-3
    • Tab ‘Voice and Video’
      • Use silence suppression : leave default
      • Create this new account on the server : MUST check add-account-4
  6. Now to add this new account, click on ‘Add’
  7. Wait for few seconds. Popup will come for ‘SSL Certificate Verification’. Click on ‘Accept’. Cross-check ‘Certificate Information’. Then ‘Accept’ cetificate. cert-1 cert-2
  8. Now you will get popup saying ‘Register New XMPP Account’. Click on ‘Register’.
  9. From top menus select
    Tools -> Plugins -> Off-The-Record Messaging (MUST checked)
  10. Click on ‘Configure Plugin’
  11. Configure ‘Off-the-record Messaging’ popup as follows, otr-1
    • My Private Keys –
      • Click on ‘Generate’ if you get message ‘No key present’. Generating keys takes time. When keys are getting generated try to do some CPU intensive work to add more entropy.
    • Default OTR Settings – Check all
      • Enable private messaging – check
      • Automatically initiate private messaging – check
      • Require private messaging – check
      • Don’t log OTR conversations – check
    • OTR UI Options
      • Show OTR button in toolbar – check
  12. Once key is generated, click on ‘Close’ to close popup windows of ‘Off-the-record Messaging’ & ‘Configure plugin’.
  13. Now in top window ‘Buddy List’ ,
    Tools -> Preferences -> Logging -> Do NOT check any options here & close popup. otr-4
  14. Now enable your new account as,
    Accounts -> Enable account -> Select newly created account
  15. Now to add buddy,
    Buddies -> Add buddy
  16. In ‘Add Buddy’ popup, enter ‘Buddy’s username’ – something like ‘foo@bar.qux.com’.  Optionally you can add ‘Alias name’ for ease. Here important thing to remember is, once you add buddy it will appear in your buddy list only after authorization of your buddy.
  17. Now if you add buddy successfully and he is online & double-click on buddy and start to chat.
  18. Here you will get another private messaging window. Don’t forget to ‘Start OTR’ here & to Authenticate your buddy.
  19. Further, you can use Tor with Pidgin to circumvent IP address.

How to secure yourself with GPG

Generate your key

  1. Run following command in your shell,
    gpg --gen-key
  2. Now program will ask you to choose couple of options, use following preferences
  3.  Please select what kind of key you want: 1    RSA and RSA (default)
  4.  What keysize do you want? (2048) 4096
  5.  Key is valid for? (0) 0
  6. Is this correct? (y/N) y
  7. Now enter name, email and comment message.
  8. Change (N)ame, (C)omment, (E)-mail or (O)kay/(Q)uit? o
  9. Finally, enter a passphrase to protect your secret key.

Edit your key

We can later edit key to use other options.
e.g Lets set our key to use stronger hashes.

  1. Edit key using following command,
     gpg --edit-key test@example.com
  2. Now set hash preferences as follows,
    gpg> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP
  3.  Really update the preferences? (y/N) y
  4. Enter your passphrase
  5. Save new preferences by command,

Make available your key

There are 2 ways to make available your key to other users.

  1. Give them manually. Use following command,
    gpg --armor --export test@example.com

    You will get your public key. Copy and paste it and send to other user.

  2. Upload to key server. You can do this again using 2 ways. One is using, forms available on server. While for second way, first grab your id using following command’s output & then upload to keyservers like http://pgp.mit.edu/
gpg --send-keys --keyserver pgp.mit.edu <key-id>


Importing other keys

  1. Import other user’s keys. We can import keys of other users with multiple ways. From text file – If someone sends you text file containing his public key, import it as,
     gpg --import <pub_key_file>

    From key server – There are some popular key serves which host public keys.
    One of such server is `http://pgp.mit.edu`. Here you can search particular user’s key as follows,

    gpg --keyserver pgp.mit.edu --search-keys <string>
  2. Validate key. The easy way to validate person’s identification is match fingerprint of key.
    gpg --fingerprint test@example.com
  3. Sign imported key as,
    gpg --sign-key test@example.com
  4. Optionally you can send back signed key

Using gpg key

  • To encrypt message using your key use following command,
    gpg --encrypt --sign --armor -r test@example.com <filename>
  • To decrypt file,
     gpg <filename>

    Creating revocation certificate

There is always possibility that your master key-pair may get lost. (and may be stolen if you are unfortunate). If this happen, you must tell other people to not use your public key. This can be done using revocation certificate. Generate revocation certificate using following command,

gpg --output \<test@example.com\>.gpg-revocation-certificate --gen-revoke test@example.com

Store it safe somewhere separately from master key-pair

Some useful commands

  • List available keys,
    gpg --list-keys
  • Update key information,
     gpg --refresh-keys