How to make OpenVAS listen on an external interface?

I need to connect to my OpenVAS from the Internet to conduct penetration tests.

I didn't found any way to make it permanently listen on the external interface: openvas-start causes it to listen on 127.0.0.1.

I already tried to modify the configuration files, but it seems either I'm doing it wrong or something is overriding configurations when it starts.

Any help would be appreciated.

P.S: I'm using Kali 2.0.


Solution 1:

Since we're on systemd, you actually need to modify 3 .service files:

cd /lib/systemd/system

Files are: greenbone-security-assistant.service, openvas-manager.service and openvas-scanner.service.

To make it quick you may want to use sed. This line will replace all 127.0.0.1 to 0.0.0.0 which will allow all services be avaliable on all interfaces. You should replace 0.0.0.0 to the address of your choice.

sed -e 's/127.0.0.1/0.0.0.0/g' greenbone-security-assistant.service openvas-manager.service openvas-scanner.service

Verify, that all will be done as you want. If you're happy with the changes, just add -i to the end of previous command.

sed -e 's/127.0.0.1/0.0.0.0/g' greenbone-security-assistant.service openvas-manager.service openvas-scanner.service -i

Lastly you need to reload daemons, since you've made changes to files and restart services.

systemctl daemon-reload
systemctl restart greenbone-security-assistant.service openvas-manager.service openvas-scanner.service

Verify, that all services are listening on desired host:

ss -nalt

If restarting sevices didn't work, try to restart server itself.

Solution 2:

  1. openvas-stop
  2. gsad --listen=0.0.0.0
  3. openvas-start
  4. From any client machine try https://kali-ip/
  5. Enjoy accessing openvas web

Solution 3:

There is much more simple solution. You can redirect external ip port to localhost using firewall. Assuming that Your's server external IP is 10.0.0.10:

sysctl -w net.ipv4.conf.eth0.route_localnet=1

iptables -t nat -A PREROUTING -p tcp -d 10.0.0.10 --dport 443 -j DNAT --to-destination 127.0.0.1:9392

That's all, now connect to https://10.0.0.10

I also tried to edit configuration IPs but there are in many places and seem to break OMP authorization. This solution was tested with latest Kali/OpenVAS (2016.09).

Solution 4:

Quoting the openvasd man page:

-a , --listen= Tell the server to only listen to connections on the address which is an IP, not a machine name. For instance, "openvasd -a 192.168.1.1" will make openvasd only listen to requests going to 192.168.1.1 This option is useful if you are running openvasd on a gateway and if you don't want people on the outside to connect to your openvasd.

You can append this option in the startup script located in /etc/init.d/openvas-scanner in the DAEMONOPTS constant.