Thanks for the suggestion. I have installed the linux client, de-selected unix username section in the preferences and exported my settings to a file. The I ran my command with -c myrcfile switch but it still went ahead and attacked the usernames and this morning I have received another nastygram email from security script, indicating there was a breakin attempt to this server in the last 24 hours.
I Just ran the same command with -V option and this is the output I got: paranoia_level=2 but "trusted_ca"not set *** The plugins that have the ability to crash remote services or hosts have been disabled. You should activate them if you want your security audit to be complete attack|devserv03|2|15011 attack|devserv03|301|15011 attack|devserv03|601|15011 attack|devserv03|901|15011 attack|devserv03|1201|15011 attack|devserv03|1502|15011 attack|devserv03|1802|15011 attack|devserv03|2102|15011 attack|devserv03|2402|15011 attack|devserv03|2702|15011 attack|devserv03|3003|15011 attack|devserv03|3303|15011 attack|devserv03|3603|15011 attack|devserv03|3903|15011 attack|devserv03|4204|15011 attack|devserv03|4504|15011 attack|devserv03|4804|15011 attack|devserv03|5104|15011 attack|devserv03|5404|15011 attack|devserv03|5705|15011 attack|devserv03|6005|15011 attack|devserv03|6305|15011 attack|devserv03|6605|15011 attack|devserv03|6906|15011 attack|devserv03|7206|15011 attack|devserv03|7506|15011 attack|devserv03|7806|15011 attack|devserv03|8106|15011 attack|devserv03|8407|15011 attack|devserv03|8707|15011 attack|devserv03|9007|15011 attack|devserv03|9307|15011 attack|devserv03|9608|15011 attack|devserv03|9908|15011 attack|devserv03|10208|15011 attack|devserv03|10508|15011 attack|devserv03|10808|15011 attack|devserv03|11109|15011 attack|devserv03|11409|15011 attack|devserv03|11709|15011 attack|devserv03|12009|15011 attack|devserv03|12310|15011 attack|devserv03|12610|15011 attack|devserv03|12910|15011 attack|devserv03|13210|15011 attack|devserv03|13510|15011 attack|devserv03|13811|15011 attack|devserv03|14111|15011 attack|devserv03|14411|15011 I am wondering which one of these attacks are responsible for username scanning. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renaud Deraison Sent: Thursday, October 04, 2007 12:56 PM To: Nessus List Subject: Re: How to prevent nessus from attacking common/bogus usernames withweak/default passwords On Oct 4, 2007, at 9:30 PM, Burslan, Mel wrote: > I am sorry but I could not figure out how to, One: specify > a .nessusrc file on the command line: Two: and more importantly, > how to tell which plug-in does what so that I can take out the > bogus username scanning plug-in. > > And you are absolutely right. In my unix environment, 5 invalid > logins and you are locked out, as well as any 5 break-in attempts > and the sysadmin gets a "suspicious activity" titled trouble > ticket, both of which I am trying to avoid/prevent. I'd recommand you download NessusClient beta5, create a policy which disables the entire "Default Unix Accounts" family, and export it as a nessusrc file. Then you can perform your scan in command line by specifying your config file with the -c switch (nessus -c yourpolicy - q localhost 1241 ....) -- Renaud _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
