Skip to content

Remote Scan#

A remote scan is a method where a server with the scanner program installed acts as a scanning server, logging into servers connected to the same network via SSH to perform a scan. By adding settings to the configuration file, you can perform scans without installing the scanner program on each server. Since it logs into the target servers via SSH, a user account capable of remote login from the scanning server is required.

graph LR
    %% Style Definitions
    classDef scannerStyle fill:#ff6b3588,stroke:#ff6b35,stroke-width:2px
    classDef targetStyle fill:#4a90e288,stroke:#4a90e2,stroke-width:2px
    classDef networkStyle fill:#6bb6ff22,stroke:#6bb6ff,stroke-width:2px,stroke-dasharray:10 5
    classDef futureStyle fill:#fdcb6e88,stroke:#fdcb6e,stroke-width:2px

    %% Node Definitions
    subgraph LocalNetwork["Local Network"]
        Scanner["Scanner Server<br>(Vuls Scanner)"]:::scannerStyle
        Target1["Target<br>Server 1"]:::targetStyle
        Target2["Target<br>Server 2"]:::targetStyle
        Target3["Target<br>Server 3"]:::targetStyle
    end

    FutureVuls["FutureVuls<br>Cloud"]:::futureStyle

    %% Relationships
    Scanner -->|"SSH Connection<br>Scan Execution"| Target1
    Scanner -->|"SSH Connection<br>Scan Execution"| Target2
    Scanner -->|"SSH Connection<br>Scan Execution"| Target3
    Scanner -->|"Upload<br>Scan Results"| FutureVuls

    %% Style Application
    class LocalNetwork networkStyle

Meaning of Remote Scan

A remote scan does not mean scanning remotely from the internet via FutureVuls. Here, a remote scan refers to scanning servers within the same network from your own management server using SSH.

Remote scanning has the following advantages over local scanning:

  • Scanning is possible even if the scanner program cannot be placed on the server.
  • By using SSH tunnels, etc., you can scan any server reachable via SSH from the scanner.
  • By listing multiple target servers in the scanner server's configuration file, you can scan multiple servers with a single command.
  • By specifying a CIDR range, you can scan all servers within a given network range at once.

The following items are common with local scanning, so please refer to the Local Scan page.

  • Scan Targets
  • Installation Method
  • Scan and Result Confirmation Methods
  • Location of Scan Settings
  • Mode Selection
  • How to Check Scanner Version
  • Scanner Updates
  • Other Notes on Scanning

The following sections explain the additional settings required to use remote scanning.

Preparation on the Target Server#

For remote scans, the following settings are required on the target server (for Linux only).

Preparing for SSH Login#

When performing a remote scan, FutureVuls uses RSA public key authentication for SSH login (password authentication is not supported). Please prepare a user account that can log into the remote server, along with a corresponding private key and public key.

Advance Preparation

For remote scans, please manually connect via SSH from the scanner server to the target server once beforehand. This is to register the target server's host fingerprint in the SSH known_hosts file.

If the Scanner Server is Windows

If the machine where the scanner is installed is Windows, please manually connect via SSH once using an administrator-level user on the target server. The SSH connection user specified in config.toml should also have administrator privileges. Then, place C:\Users\<username_of_manual_ssh_user>\.ssh\known_hosts and the target server's private key in C:\Windows\System32\config\systemprofile\.ssh. When configuring the private key path in config.toml, use the path where the private key was placed above.

How to Modify the Configuration File#

To use remote scanning, you need to modify the configuration file (/opt/vuls-saas/config.toml). Each setting method is described below.

Basic Configuration File Modification#

To scan a remote server, add settings to the configuration file as follows.

$ vi /opt/vuls-saas/config.toml

[servers]
  [servers.localhost]
    host = "localhost"
    port = "local"
# ↑↑ The local scan settings are automatically configured by the installer ↑↑

# ↓↓ Add the target server settings according to your environment ↓↓
# ex)
  [servers.<server_name>]
    user = "ec2-user"                               # ← <Username for remote login>
    host = "192.168.0.100"                          # ← <Remote login destination server: IP address or resolvable server name>
    port = "22"                                     # ← <Port number of the remote login destination>
    keyPath = "/home/vuls-saas/.ssh/vuls-saas.pem"  # ← <Location of the private key>

  ~~~~

Regarding

The private key file specified in keyPath must be owned by the scan execution user vuls-saas.

Also, due to security constraints, if the access permissions for the private key are too permissive, an SSH connection error will occur. Therefore, the following settings are required for the vuls-saas user.

chmod 600 <path_to_private_key>

You can check the owner and permissions with a command like ls -l <path_to_private_key>.

If the Target Server is Windows

If the target server is Windows, it is recommended to specify a user with administrator privileges for the remote login.

If a user without administrator privileges is specified, some applied KBs and some installed packages may not be detected.

Common settings can be consolidated in the [default] section as follows.

[default]
#port        = "22"
#user        = "username"
#keyPath     = "/home/vuls-saas/.ssh/id_rsa"

Remotely Scanning Multiple Servers#

Define multiple target servers as follows. If a UUID is not defined, it will be automatically generated during the report phase.

[default]
  port = "22"
  keyPath = "/home/vuls-saas/.ssh/stg.pem"
  scanMode = ["fast-root"]

[servers]
  [servers.ama2]
    user = "ec2-user"
    host = "13.113.92.xx"
    [servers.ama2.uuids]
      ama2 = "xxxxxxxxxxxxxxxxxxxxxxxxx"

  [servers.dev]
    user = "ubuntu"
    host = "54.248.62.xx"
    [servers.dev.uuids]
      dev = "zzzzzzzzzzzzzzzzzzzzzzzzzz"

Beware of Duplicate UUIDs

If you specify a UUID yourself, be careful not to duplicate one that is defined elsewhere in config.toml. FutureVuls uses UUIDs to identify servers. Please be aware that if UUIDs are duplicated due to a configuration mistake, they will be recognized as the same server.

If You Want to Exclude the Scanner Server from the Scan Targets

Before the scan is executed (by default, 5 minutes after installing the scanner), please remove the scanner server's information from the configuration file. Only servers whose information is listed in the configuration file will be scanned.

[saas]
 GroupID = XXXX
 Token = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
 URL = "https://auth.vuls.biz/one-time-auth"

[servers]
 // Describe only the information of the target servers

Performing a Bulk Remote Scan of Servers in a Range by Specifying a CIDR Range#

By specifying a CIDR range in the configuration file, you can perform a remote scan on all servers within that range. Define /opt/vuls-saas/config.toml as follows.

[default]
  port = "22"
  scanMode = ["fast-root"]

[servers]
  [servers.testNW-target]
    user = "ec2-user"
    host = "192.168.0.60/31"
    keyPath = "/home/vuls-saas/.ssh/auth.pem"

When the scan is executed, the scanner will attempt a remote scan on all IP addresses within the specified range. If the scan is successful, it will overwrite the configuration information for each server as follows.

[default]
  port = "22"
  scanMode = ["fast-root"]

[servers]
  [servers."testNW-target(192.168.0.60)"]
    user = "ec2-user"
    host = "192.168.0.60"
    keyPath = "/home/vuls-saas/.ssh/auth.pem"
    [servers."testNW-target(192.168.0.60)".uuids]
      "testNW-target(192.168.0.60)" = "bab806a2-59b7-628f-ff6b-c620df7191ca"

  [servers."testNW-target(192.168.0.61)"]
    user = "ec2-user"
    host = "192.168.0.61"
    keyPath = "/home/vuls-saas/.ssh/auth.pem"
    [servers."testNW-target(192.168.0.61)".uuids]
      "testNW-target(192.168.0.61)" = "dbad42bd-f045-5485-1189-f6a6e4d09a01"

For the second and subsequent scans, a remote scan will be executed for each server based on the information described in the configuration file.

Notes on CIDR Range Remote Scanning

  • If the scan of any server within the specified CIDR range fails, the process will be interrupted, and the configuration file will not be updated.
  • If a server that is already configured for remote scanning and has already been assigned a UUID is included in the specified CIDR range, it will be overwritten with a new UUID after the scan and will be managed as a different server on FutureVuls.
    • If the UUID is changed, please edit the configuration file (/opt/vuls-saas/config.toml) directly and revert to the original UUID.
    • The UUID can be found on the FutureVuls console's Server / Product > Server Details page.

Remotely Scanning a Specific Server#

In /opt/vuls-saas/vuls-saas.sh, change the part where ./vuls scan is executed as follows.

- ./vuls scan -ips > scan.log 2>&1
+ ./vuls scan -ips "$@" > scan.log 2>&1
# Execute a scan for a specific server (assuming the two machines ama2 and dev from the previous section are defined)
./vuls-saas.sh dev

# To scan multiple servers, specify the server names ([servers.xxx] in config.toml) separated by spaces
./vuls-saas.sh dev ama2

# To scan all servers defined in config.toml
./vuls-saas.sh

Other Settings#

How to Check Remote Scan Results on the Console#

After executing a remote scan, you can check the information for each server in the Server / Product tab. Each server is displayed on its own row. Note that you are billed for the number of servers. For details, please see the Manual > Server page.

How to Divide Target Servers into Multiple Groups or Distribute Scan Processes#

When there are many target servers, the following operations may be necessary.

  • Want to manage target servers in different groups
  • There are many target servers and scanning takes too long, so you want to distribute the scan processes

These operations can be achieved by splitting config.toml, customizing vuls-saas.sh, and changing the crontab settings. For specific operational examples, please refer to the following blog post.

The specific procedure is explained step-by-step below.

Step 1: Split config.toml#

By splitting config.toml into multiple files, defining different target servers in each, and executing scans in separate processes, you can group target servers and distribute scan processes.

As the first step, create config.{group}.toml for each unit you want to split, and define different target servers in each file. For how to write config.{group}.toml, please refer to Basic Configuration File Modification.

Example:

  • For Group A: config.group-a.toml
  • For Group B: config.group-b.toml

Step 2: Modify vuls-saas.sh#

Next, to enable the use of the -config option when executing vuls-saas.sh, edit /opt/vuls-saas/vuls-saas.sh as follows.

- ./vuls saas > report.log 2>&1
+ ./vuls saas "$@" > report.log 2>&1

This modification allows you to pass arguments to the vuls command.

About the vuls command's -config option

The vuls command reads config.toml from the current directory by default, but you can specify a different configuration file with the -config option.

# Scan servers of Group A using config.group-a.toml
./vuls scan -ips -config config.group-a.toml 
./vuls saas -config config.group-a.toml

# Scan servers of Group B using config.group-b.toml
./vuls scan -ips -config config.group-b.toml
./vuls saas -config config.group-b.toml

Compatibility with Specific Server Scanning

This method is not compatible with passing server names as arguments like ./vuls-saas.sh dev as described in Remotely Scanning a Specific Server. When using the -config option, all target server specifications should be done within config.{group}.toml.

Step 3: Configure crontab#

Finally, change the crontab to execute scans for each group at different times as follows. Please change the time and configuration file names according to your environment.

# /etc/cron.d/vuls-saas-scan
# Execute Group-A at 02:00 and specify a dedicated results-dir
0 2 * * * vuls-saas /opt/vuls-saas/vuls-saas.sh -config config.group-a.toml -results-dir /opt/vuls-saas/results/groupA > /dev/null 2>&1

# Execute Group-B at 02:10 and specify another dedicated results-dir
10 2 * * * vuls-saas /opt/vuls-saas/vuls-saas.sh -config config.group-b.toml -results-dir /opt/vuls-saas/results/groupB > /dev/null 2>&1

With this setting, scans for each group are executed by passing the -config and -results-dir options to vuls-saas.sh.

Note on Concurrent Execution of Multiple Groups on the Same Server

If you execute multiple groups (e.g., Group-A, Group-B) at the same time using vuls-saas.sh on the same server, issues such as duplicate timestamps, JSON file conflicts, and problems like "upload target not found" or "servers from other groups being mixed in" are likely to occur.

To avoid such conflicts, stagger the execution times and also split the results directories as shown in the example above. By staggering the execution time for each group and specifying different folders with the -results-dir option, conflicts will be significantly reduced, enabling more reliable operation.

Timeout Setting

The vuls scan command has a default timeout of 300 seconds. You can explicitly specify the timeout by modifying /opt/vuls-saas/vuls-saas.sh as follows.

- ./vuls scan -ips "$@" > scan.log 2>&1
+ ./vuls scan -ips -timeout 300 "$@" > scan.log 2>&1

Reference: https://vuls.io/docs/en/usage-scan.html

Windows Remote Scan#

When targeting Windows for scanning, please also refer to the following blog post.

Even in environments without internet access or a Windows Update service like WSUS, you can detect unapplied updates and vulnerabilities by combining a Cab file with remote scanning.

Once registered with the procedure shown below, vulnerabilities included in cumulative updates will be continuously detected in FutureVuls as new updates are released. However, to detect "vulnerabilities in KBs that are not cumulative updates," you will need to obtain a new Cab file and rescan whenever a new Windows update is released.

For details, please refer to the FutureVuls Blog.

Configuring a Scan Using a Cab File#

Note the File Size

The Cab file required for the scan is about 800MB. Please be mindful of your network bandwidth and available disk space.

Configuration and scanning are performed with the following steps.

  1. Obtain wsusscn2.cab from windowsupdate.com, operated by Microsoft Corporation (cab URL)

    For example, to get it with curl, it would be as follows.

    curl.exe -sS -o C:\wsusscn2.cab http://download.windowsupdate.com/microsoftupdate/v6/wsusscan/wsusscn2.cab
    
  2. Modify C:\Program Files\vuls-saas\config.toml

    Specify serverSelection=3, which means "use a cab for Windows Update," and set CabPath to the full path of the Cab file obtained above.

    ~ Omitted ~
    [servers]
      [servers.localhost]
        host = "localhost"
        port = "local" 
      [servers.localhost.uuids]
        localhost = "xxxx-xxxx-xxxx"
      [servers.localhost.windows]
        serverSelection = 3
        cabPath = "C:\\wsusscn2.cab"
    ~ Omitted ~
    

Using the config.toml above, execute C:\Program files\vuls-saas\vuls-saas.bat with administrator privileges to scan. This will retrieve a list of unapplied KBs using the Cab file, the scanner program will upload the configuration information to FutureVuls SaaS for detection processing, and vulnerabilities contained in the unapplied KBs will be detected.