How to add two-factor authentication to the Seccubus automated vulnerability scanner

With great power comes the need for great authentication :)

How to add two-factor authentication to the Seccubus Automated Vulnerability Scanner

Every since Frank Breedijk helped us out with an obscure Radius issue on a certain SSL-VPN (the shared secret had to be less than 8 characters!), we knew we owed him something. He mentioned that integrating WiKID & Seccubus would be a good idea since, in general, you want to know who is scanning your network. Because it is has been close to a year and I hope to see Frank again in Vegas this summer, I thought it best I get it done. Also, the latest release of Seccubus is pretty slick and a bit easier to integrate :).

What is Seccubus

Anyone who has ever used Nessus, OpenVAS, Nikto or another vulnerability scanner
will be familiar with the drawback of such tools. Tools like Nessus are very 
valuable tools, but unfortunately the results  contain a lot of noise. Time 
needed to interpret and create a report using the results of a scan will often be
two or three times the time needed to do the actual scan. 
Seccubus was created in order to more effectively analyze the results of regular 
scans of the same infrastructure by efficiently interpreting results.

Install Seccubus

Download the latest Seccubus from Sourceforge. I used the RPM on a Centos 5.4 system. Install the RPM:

# rpm -ivh Seccubus-2.0.xxx.rpm

There are a good number of prerequisites. Follow the instructions on setting up the mysql database. Please refer to the Seccubus v-2 documentation for details on the install. I won't cover them here.

Once you have Seccubus installed, take a look at /etc/httpd/conf.d/Seccubus.conf. It should like like:

Alias /seccubus /opt/Seccubus/www

</Location /seccubus>
    Order deny,allow
    Deny from all
    Allow from 127.0.0.1
    Allow from ::1
    # Allow from .example.com
    AddHandler cgi-script .pl
    Options ExecCGI 
</Location>
I wasn't running on the localhost, so I changed 127.0.0.1 to my desktop's IP address and verified that I could login. I wanted to make sure that I could login before I made any changes to add two-factor authentication.

Add Two-factor authentication

If you're using the open-source Community Edition of WiKID, I recommend using mod-auth-LDAP to incorporate two-factor authentication:

Alias /seccubus /opt/Seccubus/www
</Location /seccubus> 

   AuthType Basic
   AuthBasicProvider  ldap
   AuthName "Seccubus www ldap"
   AuthLDAPRemoteUserIsDN off
   AuthLDAPRemoteUserAttribute uid
   AuthLDAPURL "ldap://<WiKID_server_IP>:389/domain=<your_WiKID_domain>?uid"
   AuthLDAPBindDN "cn=Directory Manager"
   AuthLDAPBindPassword "2Factor"
   AddHandler cgi-script .pl
   Require valid-user
   Options ExecCGI
</Location>
Restart apache and try to login with an OTP from your WiKID software token.

If you are using the WiKID Strong Authentication Server Enterprise Edition and you are using Radius already, I recommend you stick with that protocol. Running LDAP just for Apache introduces unnecessary complexity. Install mod-auth-xradius and use the following for your Secubbus.conf:

Alias /seccubus /opt/Seccubus/www

<Location /seccubus>
   AuthType Basic
   AuthBasicProvider xradius
   AuthName "Please enter your username and WiKID one-time passcode for entry to this site."
   AuthXRadiusAddServer "<WiKID_server_IP:1812" "secret"
   AuthXRadiusTimeout 7
   AuthXRadiusRetries 2
   require valid-user
   # Allow from .example.com
   AddHandler cgi-script .pl
   Options ExecCGI
</Location>

Restart apache and try to login with an OTP from your WiKID software token.

Update:  This setup should also work for Seccubus version 1.

Kudos to the Seccubus project for creating such a great open-source security solution. Of course, with great power comes the need for great authentication ;).

Join our email list
How do I add two-factor auth?

Download a registration-free free eGuide on How to Add Two-factor Authentication to Your Network, complete with examples.

    Thanks for responding so fast! Great service.

    INFOSEC PRO
    SAN DIEGO, USA