How to add two-factor authentication to the Seccubus Automated Vulnerability Scanner
Every since Frank Breedijk helped us out with an obscure Radius issue on a certain SSL-VPN (the shared secret had to be less than 8 characters!), we knew we owed him something. He mentioned that integrating WiKID & Seccubus would be a good idea since, in general, you want to know who is scanning your network. Because it is has been close to a year and I hope to see Frank again in Vegas this summer, I thought it best I get it done. Also, the latest release of Seccubus is pretty slick and a bit easier to integrate :).
What is Seccubus?
Anyone who has ever used Nessus, OpenVAS, Nikto or another vulnerability scanner will be familiar with the drawback of such tools. Tools like Nessus are very valuable tools, but unfortunately the results contain a lot of noise. Time needed to interpret and create a report using the results of a scan will often be two or three times the time needed to do the actual scan. Seccubus was created in order to more effectively analyze the results of regular scans of the same infrastructure by efficiently interpreting results.
Download the latest Seccubus from Sourceforge. I used the RPM on a Centos 5.4 system. Install the RPM:
# rpm -ivh Seccubus-2.0.xxx.rpm
There are a good number of prerequisites. Follow the instructions on setting up the mysql database. Please refer to the Seccubus v-2 documentation for details on the install. I won't cover them here.
Once you have Seccubus installed, take a look at /etc/httpd/conf.d/Seccubus.conf. It should like like:
Alias /seccubus /opt/Seccubus/www </Location /seccubus> Order deny,allow Deny from all Allow from 127.0.0.1 Allow from ::1 # Allow from .example.com AddHandler cgi-script .pl Options ExecCGI </Location>I wasn't running on the localhost, so I changed 127.0.0.1 to my desktop's IP address and verified that I could login. I wanted to make sure that I could login before I made any changes to add two-factor authentication.
Add Two-factor authentication
If you're using the open-source Community Edition of WiKID, I recommend using mod-auth-LDAP to incorporate two-factor authentication:
Alias /seccubus /opt/Seccubus/www </Location /seccubus> AuthType Basic AuthBasicProvider ldap AuthName "Seccubus www ldap" AuthLDAPRemoteUserIsDN off AuthLDAPRemoteUserAttribute uid AuthLDAPURL "ldap://<WiKID_server_IP>:389/domain=<your_WiKID_domain>?uid" AuthLDAPBindDN "cn=Directory Manager" AuthLDAPBindPassword "2Factor" AddHandler cgi-script .pl Require valid-user Options ExecCGI </Location>Restart apache and try to login with an OTP from your WiKID software token.
If you are using the WiKID Strong Authentication Server Enterprise Edition and you are using Radius already, I recommend you stick with that protocol. Running LDAP just for Apache introduces unnecessary complexity. Install mod-auth-xradius and use the following for your Secubbus.conf:
Alias /seccubus /opt/Seccubus/www <Location /seccubus> AuthType Basic AuthBasicProvider xradius AuthName "Please enter your username and WiKID one-time passcode for entry to this site." AuthXRadiusAddServer "<WiKID_server_IP:1812" "secret" AuthXRadiusTimeout 7 AuthXRadiusRetries 2 require valid-user # Allow from .example.com AddHandler cgi-script .pl Options ExecCGI </Location>
Restart apache and try to login with an OTP from your WiKID software token.
Update: This setup should also work for Seccubus version 1.
Kudos to the Seccubus project for creating such a great open-source security solution. Of course, with great power comes the need for great authentication ;).