1. Home
  2. Network Vulnerabilities
  3. How to remediate – Nessus TCP scanner
Searching...

How to remediate – Nessus TCP scanner

Contents

1. Introduction

The Nessus TCP scanner vulnerability means that someone can determine which ports are open on your systems. This allows attackers to identify services running and potentially find weaknesses to exploit. It affects any system connected to a network, particularly servers and firewalls. A successful attack could lead to information disclosure, service disruption, or remote code execution.

2. Technical Explanation

The Nessus TCP scanner works by attempting connections to various ports on a target machine. If a connection is established, it attempts to identify the service running on that port by grabbing available banners. This process is more noticeable than SYN scans because it completes full TCP handshakes. An attacker could use this information to focus their efforts on specific services with known vulnerabilities.

  • Root cause: The vulnerability lies in the fact that a TCP connection attempt reveals open ports, providing reconnaissance data.
  • Exploit mechanism: An attacker uses Nessus or similar tools to scan a target network and identify open ports. They then investigate those services for weaknesses. For example, an open port 25 could indicate a vulnerable SMTP server.
  • Scope: All TCP/IP based systems are potentially affected.

3. Detection and Assessment

You can confirm vulnerability by checking network traffic or running a port scan yourself. A thorough method involves reviewing firewall logs for connection attempts.

  • Quick checks: Use `netstat -an` on Linux/Unix systems to list open ports. On Windows, use `netstat -ano`.
  • Scanning: Nessus itself will identify this as an information gathering issue. Other scanners like Nmap can also detect open ports.
  • Logs and evidence: Examine firewall logs for TCP connection attempts. Look for connections originating from unknown sources or targeting unusual ports.
netstat -an | grep 80

4. Solution / Remediation Steps

Protect your systems by using IP filters to restrict access to unnecessary ports.

4.1 Preparation

  • Ensure you have documented the current firewall rules and can restore them if needed. A roll back plan involves reverting the IP filter configuration.
  • Changes should be made during a scheduled maintenance window with appropriate approval from IT management.

4.2 Implementation

  1. Step 1: Identify unnecessary open ports on your systems using `netstat` or similar tools.
  2. Step 2: Configure your firewall to block incoming connections to those ports. For example, using iptables on Linux: `iptables -A INPUT -p tcp –dport -j DROP`.
  3. Step 3: Save the firewall configuration and restart the firewall service if required.

4.3 Config or Code Example

Before

# No specific rules for port 80

After

iptables -A INPUT -p tcp --dport 80 -j DROP

4.4 Security Practices Relevant to This Vulnerability

Least privilege and network segmentation are key practices here.

  • Practice 1: Least privilege – only open ports required for essential services, reducing the attack surface.
  • Practice 2: Network segmentation – isolate sensitive systems to limit the impact of a compromised service.

4.5 Automation (Optional)

If suitable, provide a small script or infrastructure code that applies the fix at scale. Only include if safe and directly relevant.

#!/bin/bash
# Script to block unnecessary ports on Linux systems
ports_to_block=(80 21 23) # Example ports - adjust as needed
for port in "${ports_to_block[@]}"
do
  iptables -A INPUT -p tcp --dport $port -j DROP
  echo "Blocked port $port"
done

5. Verification / Validation

Confirm the fix by re-scanning your systems and verifying that the blocked ports are no longer accessible.

  • Post-fix check: Run `netstat -an` again to confirm the port is closed or `nmap ` and verify the port status shows “filtered”.
  • Re-test: Re-run the Nessus scan. The scanner should no longer report the ports as open.
  • Smoke test: Ensure that any services relying on allowed ports still function correctly (for example, web server access).
  • Monitoring: Monitor firewall logs for blocked connection attempts to the previously open ports.
nmap  | grep 80

6. Preventive Measures and Monitoring

Regular security baselines and vulnerability scanning are important.

  • Baselines: Update your security baseline to include a list of allowed ports based on the principle of least privilege.
  • Asset and patch process: Review firewall rules regularly as part of your asset management process.

7. Risks, Side Effects, and Roll Back

Blocking the wrong port could disrupt services. Always test changes thoroughly.

  • Risk or side effect 1: Blocking a required port can cause service outages. Mitigation: Test all changes in a non-production environment first.
  • Risk or side effect 2: Incorrect firewall configuration can lead to unexpected connectivity issues. Mitigation: Document all changes and have a roll back plan.
  • Roll back: Remove the added iptables rule using `iptables -D INPUT -p tcp –dport -j DROP` and restart the firewall service.

8. References and Resources

  • Vendor advisory or bulletin: No specific vendor advisory available for general TCP port scanning.
  • NVD or CVE entry: Not applicable – this is a standard reconnaissance technique, not a specific flaw.
  • Product or platform documentation relevant to the fix: iptables documentation.
Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles