Confusing RKHunter log warnings for file properties checks
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Confusing RKHunter log warnings for file properties checks
Hi,
I have a FC9 box set up primarily as a file server for the windows machines on my network. I run RKHunter on it every week or so, and usually no problems are reported. Today, however, warnings were given for file properties checks on:
/bin/login
/bin/rpm
/bin/su
/usr/bin/elinks
/usr/bin/passwd
/usr/bin/wget
The rkhunter log shows:
.
.
[02:04:40] Warning: Package manager verification has failed:
[02:04:40] File: /usr/bin/wget
[02:04:40] Try running the command 'prelink /usr/bin/wget' to resolve dependency errors.
[02:04:41] The file hash value has changed
[02:04:41] The file size has changed
.
.
......and very similar log lines for each of the other files mentioned above.
The rest of the RKHunter check was normal.
I also have chkrootkit installed, and that doesn't find any problems.
After 3 hours searching for information about this I'm still confused as to whether I have a problem or not with the security of my machine.
It's behind an IPCop router and not visible from the internet (no port forwarding etc set up whatsoever). The firewall on the server itself is also switched on and only allowing SSH and Samba access through. SSH root access is disabled, and Samba access is limited (by the Samba config file) to only the few windows machines that need to have access. I'm not really sure how to make it more secure. 'yum update -y' is run every week or so. The main security weakness is my SSH connection to the server from my Vista PC, which I often leave logged in as root (after SUing). I don't *believe* my Vista box is compromised though. Kaspersky reckons it's clean anyway, and it's also behind the same IPcop router.
Thanks for replying. I did indeed update in the past week - in fact I ran rkhunter immediately following an update with yum. I now wish I had run it before as well!
I need to lean much more about linux, so what makes you sure these are normal? Why has rkhunter all of a sudden come up with this?
Excellent question. Why? Because some things might be hard to spot (not saying that that's the case here). Use independent and authoritative sources to make certain these files correspond with files from the installed package contentslike using (a backup of) your package manager to verify package contents or a filesystem integrity checker (if installed, configured and run properly before). Yes, it may take you more time, and yes, the result may be the same as saying "looks normal", but the difference is in actually checking things to reach that conclusion. Something you always want in security.
Many thanks to John and unSpawn for your replies - very much appreciated.
I've learnt now that I should install an intrusion detection system!
For the time being, how would I go about verifying that those files listed above are the genuine article - i.e. how do I go about ensuring that the checksum for those files installed is the same as the checksum for the genuine files on the internet? I must confess that despite quite a lot of reading around over several years I've never really understood how linux updates and packages work - I still just issue the command 'yum update -y' and hope for the best!
I've read the RKHunter FAQ and tried following section 3.1, but it doesn't seem that I can be certain that these are not files that have been tampered with.
I maybe should have mentioned before that I have another server set up (offsite) as a backup. I basically maintain a mirror of my main server (the one with the problem) on the backup, using rsync across an SSH tunnel. The backup server is running the same software (they were installed about 3 days apart) and has updates run at the same time as the main server. This backup server reports no problems when running RKHunter though.
Sorry to be a nuisance, I just like to be certain that my machine is secure!
Very bizarrely I have just run RKHunter again, and it has picked up no errors at all now. I haven't done anything whatsoever to try and fix the problem, so how can it have fixed all by itself?!
I've learnt now that I should install an intrusion detection system!
That kind of tool is best installed right after the OS and before exposing it to networks.
Quote:
Originally Posted by jamiehh
For the time being, how would I go about verifying that those files listed above are the genuine article - i.e. how do I go about ensuring that the checksum for those files installed is the same as the checksum for the genuine files on the internet?
Find out which package they're part of: 'rpm -qf /path/to/file' then verify: 'rpm -qVv packagename'.
Quote:
Originally Posted by jamiehh
I've read the RKHunter FAQ and tried following section 3.1, but it doesn't seem that I can be certain that these are not files that have been tampered with.
The essence it should convey is how hard it is to make certain (not "guess" or "think" or "looks OK") things are not changed, especially if one does not take prior requirements into account wrt auditing. Luckily your machine posesses one of the more mature package management systems available in terms of verification. If the local RPM database wouldn't do, or if you would like a second opinion then you could download the packages from a known good source and check with those. Since most of the time these warnings are a known false positive (see rkhunter.conf whitelisting options) that might not be necessary, but if you want to anyway practicing never was considered a bad thing.
Quote:
Originally Posted by jamiehh
I maybe should have mentioned before that I have another server set up (offsite) as a backup. I basically maintain a mirror of my main server (the one with the problem) on the backup, using rsync across an SSH tunnel. The backup server is running the same software (they were installed about 3 days apart) and has updates run at the same time as the main server. This backup server reports no problems when running RKHunter though.
Sorry to be a nuisance, I just like to be certain that my machine is secure!
Not a nuisance at all, it's what the Linux Security forum is for. Like John VV said updates might skew things. You could compare file AH1 hashes, the output of both the RPM databases and diff the rkhunter hash "database". Note that automagically running 'rkhunter --propupd' after updates will quiet warnings and is not a good practice to do.
'rpm -qf /path/to/file' then verify: 'rpm -qVv packagename' showed no problems with those packages mentioned in my first post.
I also did 'rpm -qi' on all the packages and compared the file size with the file size shown on rpmfind.net. I assume this goes some way to reassuring me that the RPMs on my machine are the same as those posted on the internet.
Many thanks again to unSpawn and John VV for all your help.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.