What is Zabbix?
Zabbix is one of the most popular monitoring systems. It consists of two components: the Zabbix server and Zabbix agents. Agents collect data from the operating systems they run on and send it to the server. The server then presents it to admins in a readable form or sends alerts via email. To sum up the breadth of its capabilities: you can even receive outage notifications in Telegram.
What Is Vulners?
Vulners is essentially a search engine for infosec. It aggregates data from 100+ databases and sources. You can find vulnerabilities, bugs, exploits, exposed services, plugins for OpenVAS, Nessus, and Burp Suite, IPS/IDS rules, and much more. Solid result ranking and an excellent API. If you haven’t tried it yet, you should. An indispensable tool for hackers and security professionals.
Zabbix Threat Control
Zabbix Threat Control is a plugin that turns the Zabbix monitoring system into a security scanner powered by Vulners. After installing the required packages and collecting inventory, it lists all servers on the network that are vulnerable due to missing patches or outdated package versions. In short, Zabbix Threat Control focuses on version-based vulnerabilities. It won’t audit configuration settings or alert on code-level issues.
Here’s how it works. Zabbix, via its agents, collects each machine’s OS name and version, builds an inventory of installed packages with their versions, and then sends it all to ZTC. The plugin forwards this data to Vulners, which matches it against its vulnerability and bug database and returns the results to Zabbix Threat Control. The information is processed and sent to the Zabbix server, after which the end user can review a dashboard with the list of vulnerabilities on the hosts.
Vulnerabilities are surfaced as issues. You can either ignore an issue (close it without confirming), which triggers no action, or confirm it—after confirmation, agents receive a fix command that remediates the vulnerability. Only a privileged user can apply fixes. The command to be executed and the target servers are shown in the dashboard.
As of now, Zabbix Threat Control requires Zabbix 3.4 or later and only runs on Linux, though packages for other operating systems—including network devices—may be developed.
Installation
I’ll cover the installation on Debian. It involves several steps:
- Install the Zabbix server and deploy agents to the monitored hosts.
- Install ZTC plugins on the monitored hosts and configure them.
- Install ZTC on the server.
Zabbix Server
First, install the MySQL server and client (you might disagree, but for up to 20–25 servers MySQL is fine; if you have more, it’s better to use PostgreSQL):
$ sudo apt install mysql-server mysql-client
Adding repositories:
$ wget http://repo.zabbix.com/zabbix/3.4/debian/pool/main/z/zabbix-release/zabbix-release_3.4-1+stretch_all.deb
$ sudo dpkg -i zabbix-release_3.4-1+stretch_all.deb
$ sudo apt update
Now install the Zabbix server:
$ sudo apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent
Connecting to MySQL:
$ mysql -uroot –pPass
Next, create a database and a user (set your own password):
create database zabbix character set utf8 collate utf8_bin;grant all privileges on zabbix.* to zabbix@localhost identified by 'PASSWORD';quit;Adding tables to the database:
$ zcat /usr/share/doc/zabbix-server-mysql*/create.sql.gz | mysql -uzabbix -p zabbix
Open the configuration file / in an editor and set the DBPassword value (the database password you specified when creating it). In the same directory, in the apache. file, set the date. parameter (for example, Europe/Moscow).
Create a link:
$ sudo ln -s /usr/share/zabbix/ /var/www/html/
That completes the Zabbix installation. Restart the service, open the web interface at http://, and follow the setup prompts. The default login/password is Admin/zabbix.
Agents
To install Zabbix agents on the monitored hosts, just install the zabbix-agent package (it will start automatically):
$ sudo apt install zabbix-agent
Next, open the configuration file / and add the following lines (server address and hostname):
Server=192.168.1.1ServerActive=192.168.1.1Hostname=srv10Restart the agent:
$ service zabbix-agent restart
ZTC Plugins
To install plugins on hosts, you need to add the ZTC repositories. Do the following:
$ wget https://repo.vulners.com/debian/vulners-repo.deb
$ sudo dpkg -i vulners-repo.deb
Next, install the plugin:
$ sudo apt-get update
$ sudo apt-get install zabbix-threat-control-host
Next, open the file / and change the following values:
EnableRemoteCommands=1LogRemoteCommands=1To allow the Zabbix user to update (and only update) packages, add the following line to the / file:
zabbix ALL=(ALL) NOPASSWD: /usr/bin/apt-get --assume-yes install --only-upgrade *
Remember to install the plugin on the server as well. After applying the changes, restart the agent:
$ service zabbix-agent restart
ZTC Server
Back on the Zabbix server. Just like with the agents, add the ZTC repositories:
$ wget https://repo.vulners.com/debian/vulners-repo.deb
$ sudo dpkg -i vulners-repo.deb
After that:
$ sudo apt-get update
$ sudo apt-get install zabbix-threat-control-main zabbix-threat-control-host
Next, install the dependencies:
$ sudo apt install zabbix-sender zabbix-get python3 python3-pip
At this point, it’s worth noting that in earlier versions the zabbix-sender and zabbix-get utilities were bundled with zabbix-server, but now they need to be installed separately. Moving on:
$ sudo pip3 install pyzabbix requests jpath
Now open your browser, go to vulners.com, and create an account. Log in and generate an API key on the API KEYS tab.
Back on the server, open the file / in a text editor:
Enter your details. Specify the Zabbix user’s username and password, the Zabbix server address and its FQDN. If the port isn’t the default, change it as well.
Once the configuration file is set up, run /:
The script creates the required host group, template, action, and its own dashboard. The output will show the ZTC dashboard URL and the scheduled time for vulnerability scans. Scans are triggered by executing the script at / (you can run it manually if needed).
After finishing the setup, open the new ZTC dashboard, go to Templates, and find the Vulners OS-Report. In the Hosts section, move the servers you want to scan into the left-hand text box. Start the scan, wait for it to complete, and review the results. It’s quite fast—about 1,000 hosts in roughly 30 minutes.
Once the scan completes, you’ll get output similar to the following:
The chart highlights critical vulnerabilities with high CVSS scores in red. All data is neatly organized across several panels: by vulnerable packages, by vulnerabilities, and by servers. This lets you remediate either all vulnerabilities on a selected server or a specific vulnerability across all servers.
You can find details on server vulnerabilities, along with remediation commands, in the tooltips that appear when you hover over an issue. Those tooltips also include links to vulners.com, where you can review security issues relevant to these servers.
To install the updates, you just need to acknowledge the issue. This is especially handy if you want to fix a specific vulnerability across all servers and don’t have a configuration management system like Ansible.
Conclusion
Zabbix Threat Control can’t replace professional-grade systems, as it doesn’t offer the same breadth of capabilities. That said, it’s fast, free, and fits well into existing infrastructure.
Keep in mind this is only the first release of the plugin, so bugs and rough edges are possible. There’s a Telegram group @ztcsupport where you can get support and provide feedback.