A little help in interpreting the results from rkhunter please
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
A little help in interpreting the results from rkhunter please
I just installed rkhunter and chkrootkit on my Ubuntu 8.04 machine. chkrootkit shows all is clean. rkhunter told me that "ssh is enabled for root" - event though there is no root account in the conventional sense in Ubuntu I added "PermitRootLogin no" to /etc/ssh/sshd_config and restarted sshd. Here are the other results. I do not know what to make of them
Quote:
[10:31:56] Checking /dev for suspicious file types [ Warning ]
[10:31:56] Warning: Suspicious files found in /dev:
[10:31:56] /dev/shm/pulse-shm-2926552250: data
[10:31:56] Checking for hidden files and directories [ Warning ]
[10:31:57] Warning: Hidden directory found: /dev/.static
[10:31:57] Warning: Hidden directory found: /dev/.udev
[10:31:57] Warning: Hidden directory found: /dev/.initramfs
I have learned that shm has to do with shared memory and I think .initramfs has to do with a ramdisk. Other than that I have no idea if any of the warnings are of any significance.
Thanks for any enlightenment.
Ken
p.s. just finished a second run of rkhunter - it still thinks that root access for ssh is enabled(?)
Last edited by taylorkh; 02-13-2009 at 09:54 AM.
Reason: more info from second run
I have /dev/.udev. The use of udev/hal/dbus to automatically mount devices and alternate names make use of these hidden directories. So this is a false positive. The pulse-shm line is OK.
Do you have "PermitRootLogin No"? If you do, perhaps it didn't match the case, but this is just a guess.
Thanks jschiwal. I found the same warnings on a second machine. I guess false positives are not too uncommon. As to the root thing... There was no PermitRootLogin statement to start with. I copied the string from a page on go2linux.org. I tried "No" and the system barfed when I restarted sshd so I guess "no" is correct.
I have /dev/.udev. The use of udev/hal/dbus to automatically mount devices and alternate names make use of these hidden directories. So this is a false positive.
Minor nit, doesn't mean I don't acknowledge shortcuts in practice, but something is not a FP because you or I say it is. Something is a FP if you can verify, using independent and trustworthy means, it is.
Quote:
Originally Posted by taylorkh
I guess false positives are not too uncommon.
No, they aren't. That's why whitelisting examples are listed in rkhunter.conf and the FAQ.
unSpawn: Point taken. I should have said "probably a false positive". Examining the items to see if anything is amiss would be prudent.
I noticed that the "PermitRootLogin" line is missing from the initial /etc/ssh/sshd_config after installation. IIRC, the default is yes, so adding "PermitRootLogin no" will fix that problem.
There is another root kit scanner, chkrootkit. One began as an upgrade of the other. The author runs both himself.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.