Appliance Guide Version 1.0
Contents Contents 1 Revision history 2 Getting Started 3 Getting to Know the R7-3000/5000/5000x 5 Getting to Know the R7-1000 6 Setting Up the Appliance 7 Logging in to the Appliance 8 Configuring Network Settings 9 Identifying the Nexpose Appliance Type 11 Adding a Scan Engine (NSE Only) 12 Logging in to the Web Interface (NSC Only) 15 Identifying the operating system 16 Identifying the appliance model and serial number 17 Common Operations and Maintenance Tasks 18 Appliance Models 21 Contents 1
Revision history Date August 25, 2016 First version of guide published. Revision Revision history 2
Getting Started The Nexpose Appliance is a preconfigured server that enables you to assess vulnerabilities in your internal network devices and websites, manage vulnerability data, and mitigate threat exposures. You can deploy as many appliances as you need to build a scalable and robust vulnerability management solution on site. Read on to learn how to set up the R7-1000/3000/5000/5000x. Before you begin Before you can set up the appliance, you'll need to have the following items available: Rack cabinet enclosure (if you plan to rack mount the appliance) Phillips screwdriver (if you plan to rack mount the appliance) RJ-45 Ethernet cable Monitor Keyboard Mouse When you are ready to set up the appliance, you'll need to: Verify that the box contains the appliance and power cords. If any items are missing or damaged, please contact our support team. Remove the appliance and power cords from the box. Install the Nexpose Appliance into a server rack. Use the following guides to show you how to install the server into a rack: R7-3000/R7-5000(x) - DL380 Gen9 Server User Guide R7-1000 - DL120 Gen9 Server User Guide Make sure that the Nexpose Security Console is online and its Web interface is accessible if you are setting up a Nexpose Scan Engine. Set up overview The general set up instructions for the Nexpose Security Console and the Nexpose Scan Engine are very similar. However, if you have purchased a Scan Engine, there are additional steps that you will need to Getting Started 3
perform to connect it to the Nexpose Security Console. Generally, the set up steps for the Nexpose Security Console and Nexpose Scan Engine appliances include: 1. Installing the appliance into a server rack. 2. Connecting the peripherals to the appliance. 3. Connecting the appliance to the network. 4. Powering on the appliance. 5. Logging into the appliance. 6. Configuring the network settings for the appliance. If you have purchased a Nexpose Scan Engine, you'll also need to: 1. Verify that the Nexpose Security Console is online and its web interface is accessible. 2. Add the Nexpose Scan Engine through the Security Console web interface. 3. Pair the Security Console with the Scan Engine. 4. Verify that the Scan Engine has successfully paired with the Security Console. Getting Started 4
Getting to Know the R7-3000/5000/5000x Now that you've unpacked everything, you're ready to set up the appliance. If you are setting up the R7-3000/5000/5000x, you'll need to be able to identify the RJ-45 port, power supply, VGA port, and USB ports to set up the appliance. Let's take a look at the rear view: Item Name 1 PCI Express slots 1 (top), 2 (center), and 3 (bottom) 2 Extra PCI Express slots 4 (top), 5 (center), and 6 (bottom); requires second riser card and second processor 3 Serial port 4 Power supply 1 5 Power supply 2 6 VGA connector 7 1GbE RJ-45 port 4 8 1GbE RJ-45 port 3 9 1GbE RJ-45 port 2 10 1GbE RJ-45 port 1 11 ilo connector 12 USB 3.0 connector 1 13 USB 3.0 connector 2 14 FlexibleLOM ports Getting to Know the R7-3000/5000/5000x 5
Getting to Know the R7-1000 If you are setting up the R7-1000, you'll need to be able to identify the power supply, RJ-45 ports, VGA port, and USB ports to set up the appliance. Let's take a look at the rear view: Item Name 1 PCI Express slot 3 2 PCI Express slot 2 3 PCI Express slot 1 4 Non-hot-plug power supply 5 Power supply power connection 6 1GbE RJ-45 port 1 and 2 7 VGA connector 8 USB 3.0 connectors Getting to Know the R7-1000 6
Setting Up the Appliance You're now ready to set up the appliance. Step 1: Connect the appliance to the network The Nexpose Appliance connects like any other computer to a switch on your network. To set up the network connection, connect one end of an Ethernet cable to the Ethernet LAN port labeled ETH0 or 1 on the appliance. Connect the other end of the Ethernet cable to a network jack. Step 2: Connect the appliance to peripherals The next thing you need to do is connect the appliance to a monitor, keyboard, and mouse. To attach the peripherals, connect the monitor to the VGA port and connect the keyboard and mouse to the USB ports on the back of the appliance. Step 3: Connect the appliance to a power supply The appliance is now ready to be powered on. Plug one end of the power cord into a power strip and the other end into the AC power plug on the appliance. Press the Power button located on the front of the appliance to turn it on and start the boot up process. The first time you boot-up the appliance, it attempts to use DHCP to configure network settings for NIC 1 (ETH0). The process may take up to five minutes. If DHCP IPs are not available, you will need to configure a static IP. After the boot-up process completes, you can log into the system to configure your network settings. Setting Up the Appliance 7
Logging in to the Appliance When your appliance boots up, it will present you with a login prompt. To log in to the appliance, you will need to provide the default credentials: Username: administrator Password: rapid7 You will be prompted to re-enter the password and enter a new password to continue.! A dictionary word cannot be used for your new OS or SSH password. After logging in, you will be able configure your network settings. If you need static IP addressing, please read the next section. If your environment requires DHCP, you are can skip to section on identifying the Nexpose Appliance type. Logging in to the Appliance 8
Configuring Network Settings The first time you switch on the appliance, Nexpose attempts to use DHCP to configure network settings for NIC 1 (ETH0). If Nexpose is unable to configure the appliance settings, you'll need to manually configure the network settings. Setting up a static IP for the appliance To add a static IP address for your appliance, you will need to edit the /etc/network/interfaces file. In a terminal, type the following: $ nano /etc/network/interfaces Edit the following values: auto eth0 iface eth0 inet static address 192.168.0.2 netmask 255.255.255.0 network 192.168.0.0 (Optional) broadcast 192.168.0.127 gateway 192.168.0.1 To save the file, use the key combination of Ctrl+N and follow the prompts. When you are done, you will need to run the following command to restart the networking service: $ ifdown eth0 && ifup eth0 To verify changes to the configuration, run the following command: $ ifconfig eth0 Adding DNS server information After you've configured the static IP address for the appliance, you'll need to update the DNS information in the resolv.conf file. Configuring Network Settings 9
Run the following to edit the file: $ nano /etc/resolv.conf The entries should be similar to the example below: nameserver <PRIMARY DNS IP ADDRESS (can be multiple *add more lines)> search <LOCAL DNS SEARCH PATHS (can be multiple * separated by spaces)> When you are done, you will need to run the following command to restart the networking service: $ ifdown eth0 && ifup eth0 To verify changes to the configuration, run the following command: $ ifconfig eth0 Configuring Network Settings 10
Identifying the Nexpose Appliance Type As previously mentioned, the Nexpose Appliance is a scalable solution, which means that you can deploy multiple instances of it. Each appliance can either act as a Nexpose Scan Engine (NSE) or Nexpose Security Console (NSC). The Nexpose Scan Engine discovers assets during scans and checks them for vulnerabilities or policy compliance. The Nexpose Security Console is an engine that has a web interface and reporting capabilities. You can think of the Security Console as an engine that controls multiple engines and integrates their data into the database for display and reporting. Identifying the appliance type To determine whether your appliance is a Nexpose Security Console or a Nexpose Scan Engine, you'll need to check for the nsc folder in opt/rapid7/nexpose. If it exists, the appliance is a Security Console. If it does not have an nsc folder, it is a Scan Engine. To see if the opt/rapid7/nexpose/nsc path exists, run the following command: $ ls -al /opt/rapid7/nexpose/nsc If the contents of the nsc folder are listed, the appliance is a Security Console; otherwise, it is a Scan Engine. Identifying the Nexpose Appliance Type 11
Adding a Scan Engine (NSE Only) If you are setting up a Nexpose Scan Engine, the last thing you need to do is add it to the Security Console and pair them together. If you are setting up a Nexpose Security Console, you can skip to the next section on logging into the Web interface. Adding a Scan Engine to the Security Console 1. Start a Web browser and log in to the Security Console Web interface. 2. Go to the Administration page. 3. Find the "Scan Options" section and select the Create option for Engines. Adding a Scan Engine (NSE Only) 12
4. Enter the address and port number the Scan Engine will use to listen for communication from the Security Console. 5. Save the new Scan Engine. After you add the engine, the Security Console creates the consoles.xml file. You will need to edit this file in the pairing process. Pairing the Scan Engine with the Security Console 1. Open the consoles.xml file using a text editing program, like nano. Consoles.xml is located in the [installation_directory]/nse/conf directory on the Scan Engine. 2. Locate the line for the console that you want to pair with the engine. The console will be marked by a unique identification number and an IP address. 3. Change the value for the Enabled attribute from 0 to 1. Adding a Scan Engine (NSE Only) 13
4. Save and close the file. 5. Restart the Scan Engine, so that the configuration change can take effect. After you add and pair your Scan Engine, it is ready to be used. Adding a Scan Engine (NSE Only) 14
Logging in to the Web Interface (NSC Only) The Nexpose Security Console comes with a Web interface that you can use to manage your vulnerability scans, scan results, and other scan engines. You perform all tasks with Nexpose through the Security Console Web interface. To access the Security Console, start a Web browser and navigate to the IP address of the appliance and specify the port. The default port number is 3780. You'll need to make sure you specify HTTPS when you are entering the URL. An example of an address for the Security console would be https://192.168.1.1:3780. When the browser displays the login page for the Nexpose Security Console, you'll need to enter your credentials. The first time you are log in to the Security Console, you'll need to use the default credentials: Username: nxadmin Password: nxpassword After you log in successfully, you will be ready to start using Nexpose. Can't access the Web interface? Make sure to specify an HTTPS connection and the correct port number when entering the IP address of your Appliance. If you have properly entered the address and still cannot connect, it s possible that a firewall may be blocking you from reaching Nexpose. Check your firewall settings. Logging in to the Web Interface (NSC Only) 15
Identifying the operating system To identify the operating system running on the appliance, you can run the following command: $ lsb_release -a The results display the operating system No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04.3 LTS Release: 14.04 Codename: trusty Identifying the operating system 16
Identifying the appliance model and serial number To identify the appliance model and serial number, you can run the following command: $ cat /etc/r7appliance/info Running the command returns the following information: MODEL=R7-1000 CHASSIS_SN=2M25240848 IMAGE_SN=7a37dfa299d043bdf419580d05496a23 IMAGE_REVISION=r06 ORIGINAL_KERNEL=3.13.0-74-generic INSTALLATION_TIMESTAMP='Thu Feb 4 22:51:30 UTC 2016' The model number in this example is 'R7-1000' and the chassis serial number is '2M25240848 '. Identifying the appliance model and serial number 17
Common Operations and Maintenance Tasks The following sections provide you with information on how to perform some common operations and maintenance tasks, such as configuring the NTP service, backing up your data, and recovering a forgotten password. Configuring the NTP service You can use the Network Time Protocol (NTP) to synchronize time between computer systems over the network. Type the following to configure the appliance to use your time server: $ sudo nano /etc/openntpd/ntpd.conf Running the command returns the following information: servers 0.debian.pool.ntp.org servers 1.debian.pool.ntp.org servers 2.debian.pool.ntp.org servers 3.debian.pool.ntp.org Add your server's fully qualified domain name to the end of the file and save it. After configuration file is updated, run the following command to restart the NTP services: $ sudo service openntpd restart To verify that NTP service is synchronizing to the remote NTP servers, run the following command: $ sudo openntpd -d An example of output demonstrating successful synchronization is shown below: ntp_adjtime returns frequency of 0.000000ppm ntp engine ready reply from 216.75.56.132: offset -0.004655 delay 0.009308, next query 9s reply from 192.155.81.203: offset -0.008303 delay 0.010795, next query 5s reply from 204.2.134.162: offset 0.003466 delay 0.010629, next query 8s reply from 45.79.78.173: offset -0.002455 delay 0.010835, next query 7s reply from 107.170.242.27: offset -0.000492 delay 0.014363, next query 8s Common Operations and Maintenance Tasks 18
Configuring rsyslog for remote syslog management Rsyslog provides support for message logging and forwarding log messages remotely. Support of both internet and unix domain sockets enables this utility to support both local and remote logging. The rsyslog daemon is responsible for listening to log messages from different parts of a Linux system and routing the messages to the appropriate log file in the /var/log directory. It can also forward log messages to another Linux server. Basically, the rsyslog.conf file tells the rsyslog daemon where to save its log messages. This instruction comes from a series of two-part lines within the file. This file can be found at /etc/rsyslog.d/50-default.conf in your appliance. You will need a copy of rsyslog running on a remote machine which will be receiving the logs from your existing server. This setup allows retrieval of your logs in cases where your appliance crashes or is otherwise inaccessible. You can find more information on configuring rsyslog on your server at http://manpages.ubuntu.com/manpages/trusty/man5/syslog.conf.5.html. Updating the operating system You can periodically update the system by running the following commands: $ sudo apt-get update $ sudo apt-get upgrade You can also enable automatic security updates by opening the /etc/apt/apt.conf.d/30r7applaptupdate file and changing APT::Periodic::Enable to 1. Backing up your data Running regularly scheduled backup and restore routines ensures full recovery of the Security Console in the event of hardware failure. It is also best practice for archiving all scan data and configurations at any point in time. For details on the backup process refer to the Nexpose Administrator's Guide under the Performing a Backup section. Common Operations and Maintenance Tasks 19
Reset the root password If you have lost or forgotten the password for your appliance, you will need to boot the appliance into single user mode to reset it. To learn how to boot the appliance into this mode, please read http://askubuntu.com/questions/24006/how-do-i-reset-a-lost-administrative-password. Common Operations and Maintenance Tasks 20
Appliance Models R7-5000X series appliance specs Operating System: Ubuntu 14.04 LTS Memory: 256GB CPU: (2) Intel Xeon E5-2609 v3 @ 1.9 GHz Storage: 8 TB on a RAID 10 Array with 16 drives R7-5000 series appliance specs Operating System: Ubuntu 14.04 LTS Memory: 128GB CPU: (2) Intel Xeon E5-2609 v3 @ 1.9 GHz Storage: 4 TB on a RAID 10 Array with 16 drives R7-3000 series appliance specs Operating System: Ubuntu 14.04 LTS Memory: 64 GB CPU: (2) Intel Xeon E5-2609 v3 @ 1.9 GHz Storage: 2 TB on a RAID 10 Array with 8 drives R7-1000 series appliance specs Operating System: Ubuntu 14.04 LTS Memory: 16 GB CPU: (2) Intel Xeon E5-2603 v3 @ 1.6 GHz Storage: 1TB on a RAID 1 Array on 2 drives Appliance Models 21