Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi There - as a newbie to linux, I wonder if anyone can
help me understand the following output from rkhunter.
I am using the Mandriva 2009 version and following a suggestion
have installed rkhunter. Below is some of the output messages, some
of them seem fairly evident, but one or two I am not sure of. So can
you say please if all is OK with my system, and how do I allow rkhunter
to run SSH - or have I misunderstood that part of the message.
Thank you for looking, your input would be appreciated.
#Info: Found file '/usr/bin/whatis': it is whitelisted for the 'script #replacement' check.
#
#Info: Found file '/sbin/ifdown': it is whitelisted for the 'script #replacement' check.
#
#Info: Found file '/sbin/ifup': it is whitelisted for the 'script replacement' #check.
#
#Performing malware #checks
[20:11:45] Info: Starting test name #'malware'
#[20:11:45]
#[20:11:45] Info: Test 'deleted_files' disabled at users #request.
#[20:11:45] Info: Starting test name #'running_procs'
#[20:11:45] Checking running processes for suspicious files [ Skipped #]
#[20:11:45] Info: Unable to find the 'lsof' #command
#[20:11:45]
#[20:11:45] Info: Test 'hidden_procs' disabled at users #request.
#[20:11:45]
#[20:11:45] Info: Test 'suspscan' disabled at users request.
#
#Checking for software intrusions [ Skipped #]
#[20:11:46] Info: Check skipped - tripwire not installed
#
#Performing trojan specific #checks
#[20:11:46] Info: Starting test name #'trojans'
#[20:11:46] Checking for enabled inetd services [ Skipped #]
#[20:11:46] Info: Check skipped - file '/etc/inetd.conf' does not exist.
#
#Performing check for backdoor #ports
#[20:12:05] Info: Disabling pathnames and '*' in PORT_WHITELIST setting: no 'lsof' command present.
#
# Checking for SSH configuration file [ Found #]
#[20:12:19] Info: Found SSH configuration file: /etc/ssh/sshd_config
#[20:12:19] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to #'no'.
#[20:12:19] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to #'0'.
#[20:12:19] Checking if SSH root access is allowed [ Warning] #
#[20:12:19 Warning: The SSH and rkhunter configuration options should be the #same:
#[20:12:19] SSH configuration option 'PermitRootLogin': without-#password
#[20:12:19] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': #no
#
#Info: Starting test name #'filesystem'
#[20:12:19] Info: SCAN_MODE_DEV set to #'THOROUGH'
#[20:12:19] Info: Found file '/dev/shm/pulse-shm-156129281': it is #whitelisted.
#[20:12:20] Info: Found file '/dev/shm/pulse-shm-3674716385': it is #whitelisted.
#[20:12:20] Info: Found file '/dev/shm/pulse-shm-953612535': it is #whitelisted.
#[20:12:20] Checking /dev for suspicious file types [ None found #]
#[20:12:20] Info: Found hidden directory '/dev/.udev': it is #whitelisted.
#[20:12:20] Info: Found hidden file '/usr/share/man/man1/..1.lzma': it is #whitelisted.
#[20:12:20] Info: Found hidden file '/usr/share/man/man1/.nvidia-current-#xconfig.1.lzma': it is whitelisted.
#[20:12:20] Info: Found hidden file '/usr/share/man/man1/.nvidia-current-#settings.1.lzma': it is whitelisted.
#[20:12:20] Info: Found hidden file '/usr/share/man/man1/.nvidia-current-#smi.1.lzma': it is whitelisted.
#[20:12:20] Checking for hidden files and directories [ None found #]
*******************************************************************************
#Fin
Tell us which ones you were not able to solve by reading comments in the rkhunter.conf, the man page, the documentation and the rkhunter-users mailing list (archives).
I am not sure on what to do regarding the output
from the following the messages. Or do I have to
do anything?
***************************************************************
1) Checking for SSH configuration file [ Found ]
[20:12:19] Info: Found SSH configuration file: /etc/ssh/sshd_config
[20:12:19] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[20:12:19] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[20:12:19] Checking if SSH root access is allowed [ Warning ]
[20:12:19] Warning: The SSH and rkhunter configuration options should be the same:
[20:12:19] SSH configuration option 'PermitRootLogin': without-password
[20:12:19] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
*********************************************************************************
In the above "Warning message", the SSH + rkhunter config should be the same.
How do I go about setting them the same? Or do I have to do anthing?
2)
*******************************************************************************
[20:12:19] Info: Found file '/dev/shm/pulse-shm-156129281': it is whitelisted.
[20:12:20] Info: Found file '/dev/shm/pulse-shm-3674716385': it is whitelisted.
[20:12:20] Info: Found file '/dev/shm/pulse-shm-953612535': it is whitelisted.
*******************************************************************************
What does "whitelisted" mean?
3)
***************************************************************************
Performing malware checks
[20:11:45] Info: Starting test name 'malware'
[20:11:45]
[20:11:45] Info: Test 'deleted_files' disabled at users request.
[20:11:45] Info: Test 'hidden_procs' disabled at users request.
[20:11:45]
[20:11:45] Info: Test 'suspscan' disabled at users request.
*****************************************************************************
As far as I am aware, I have not enabled or set anything in rkhunter.
Could the above be a default messages or instructions.
Thanks again for your input, as a newbie just hope the above questions
are not too stupid to ask.
As far as I am aware, I have not enabled or set anything in rkhunter.
Then you should because rkhunter.conf needs to be adapted to your system before you run 'rkhunter --propupd'.
Before you do that please read the README and the comments in the rkhunter.conf because they explain a lot and John and I didn't put them there for nothing. Your questions aren't stupid (not asking would be) but having a wee bit of knowledge about he tools you run and having self-reliance goes a long way. In the case of RKH the rkhunter-users mailing list archives are also chock-full of FAQ as we advertise that mailing list as our primary point of information. RKH detected you run SSH granting root access (PermitRootLogin = without-password) which is a huge mistake. Do reset that back to the /etc/ss/sshd_config default of "no".
Sorry to come back to you on this subject unSpawn, but
still cannot get to grips with the following messages.
Took your advice and have spent all day reading up and
trying to configure the following files:- ssh_config - sshd_config
Have tried endless ways, but keep getting the following "Warning" message.
Just can't get the two files to match. Should the option be set to "Yes" in
both files, or am I wrong again.
Please, what does SSH_PROT_V1 set to '0' mean?
I wonder if you could point me in the right direction again please.
************************************************************************
[19:58:47] Checking for SSH configuration file [ Found ]
[19:58:47] Info: Found SSH configuration file: /etc/ssh/sshd_config
[19:58:47] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[19:58:47] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[19:58:47] Checking if SSH root access is allowed [ Warning ]
[19:58:47] Warning: The SSH and rkhunter configuration options should be the same:
[19:58:47] SSH configuration option 'PermitRootLogin': without-password
[19:58:47] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
[19:58:48] Checking if SSH protocol v1 is allowed [ Not allowed ]
******************************************************************************
Hope the topic is not closed, if not, thanks for looking
No need in saying that. After all we are linuxquestions.org.
Quote:
Originally Posted by High-gain
Please, what does SSH_PROT_V1 set to '0' mean?
The SSH protocol comes in two versions: the current default version 2 and the deprecated version 1. You should not ever enable SSH protocol version 1 unless you have known issues with (legacy) clients that can not be solved in other ways. SSH_PROT_V1=0 is the default.
Quote:
Originally Posted by High-gain
[code]Warning: The SSH and rkhunter configuration options should be the same:
SSH configuration option 'PermitRootLogin': without-password
Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no[code]
/etc/ssh/sshd_config currently allows four values for the "PermitRootLogin" directive (man sshd_config). The sane default is "No" as any root account logins over any untrusted network are considered a security risk. The value "without-password" is only needed if you really need to login as root using pubkey auth but not password. If you do not need it please set it to "No". Else see if setting "ALLOW_SSH_ROOT_USER=without-password" in your rkhunter.conf works for you.
Just thought I would let you know, my hic-cup with rkhunter
has now been resolved.
My problem was right at the end of the sshd_config file under the
examples info.
I had missed the last message where the # had been unchecked,
it had also been set to 'no' which I think caused the conflict
between SSH & rkhunter files.
Below is the setting I have now which has removed the
'Warning' message in rkhunter.log
++++++++++++++++++++++++++++++++++++++++++++++++++
SSHD_config - end of the file - if you notice, the
PermitRootlogin without-password is repeated. Not sure if
this is correct, or I have in error and set it this way.
+++++++++++++++++++++++++++++++++++++++++++++++++++++
**********************************************************
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
# PermitRootLogin without-password
# PermitRootLogin without-password
****************************************************************
Hope the above will help someone.
Thanks also to unSpawn for his help.
N.B.
With my above hic-cup I did uninstall and reinstall rkhunter.
Tried with the latest version, but that came back with more
error messages, also recorded that the xzibit rootkit was present.
This is covered in the rkhunter mail lists/forums.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.