Hi There - as a newbie to linux, I wonder if anyone can
help me understand the following output from rkhunter.

I am using the Mandriva 2009 version and following a suggestion
have installed rkhunter. Below is some of the output messages, some
of them seem fairly evident, but one or two I am not sure of. So can
you say please if all is OK with my system, and how do I allow rkhunter
to run SSH - or have I misunderstood that part of the message.

Thank you for looking, your input would be appreciated.

****************************************************************************

#Info: Found file '/usr/bin/whatis': it is whitelisted for the 'script #replacement' check.
#
#Info: Found file '/sbin/ifdown': it is whitelisted for the 'script #replacement' check.
#
#Info: Found file '/sbin/ifup': it is whitelisted for the 'script replacement' #check.
#
#Performing malware #checks
[20:11:45] Info: Starting test name #'malware'
#[20:11:45]
#[20:11:45] Info: Test 'deleted_files' disabled at users #request.
#[20:11:45] Info: Starting test name #'running_procs'
#[20:11:45] Checking running processes for suspicious files [ Skipped #]
#[20:11:45] Info: Unable to find the 'lsof' #command
#[20:11:45]
#[20:11:45] Info: Test 'hidden_procs' disabled at users #request.
#[20:11:45]
#[20:11:45] Info: Test 'suspscan' disabled at users request.
#
#Checking for software intrusions [ Skipped #]
#[20:11:46] Info: Check skipped - tripwire not installed
#
#Performing trojan specific #checks
#[20:11:46] Info: Starting test name #'trojans'
#[20:11:46] Checking for enabled inetd services [ Skipped #]
#[20:11:46] Info: Check skipped - file '/etc/inetd.conf' does not exist.
#
#Performing check for backdoor #ports
#[20:12:05] Info: Disabling pathnames and '*' in PORT_WHITELIST setting: no 'lsof' command present.
#
# Checking for SSH configuration file [ Found #]
#[20:12:19] Info: Found SSH configuration file: /etc/ssh/sshd_config
#[20:12:19] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to #'no'.
#[20:12:19] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to #'0'.
#[20:12:19] Checking if SSH root access is allowed [ Warning] #
#[20:12:19 Warning: The SSH and rkhunter configuration options should be the #same:
#[20:12:19] SSH configuration option 'PermitRootLogin': without-#password
#[20:12:19] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': #no
#
#Info: Starting test name #'filesystem'
#[20:12:19] Info: SCAN_MODE_DEV set to #'THOROUGH'
#[20:12:19] Info: Found file '/dev/shm/pulse-shm-156129281': it is #whitelisted.
#[20:12:20] Info: Found file '/dev/shm/pulse-shm-3674716385': it is #whitelisted.
#[20:12:20] Info: Found file '/dev/shm/pulse-shm-953612535': it is #whitelisted.
#[20:12:20] Checking /dev for suspicious file types [ None found #]
#[20:12:20] Info: Found hidden directory '/dev/.udev': it is #whitelisted.
#[20:12:20] Info: Found hidden file '/usr/share/man/man1/..1.lzma': it is #whitelisted.
#[20:12:20] Info: Found hidden file '/usr/share/man/man1/.nvidia-current-#xconfig.1.lzma': it is whitelisted.
#[20:12:20] Info: Found hidden file '/usr/share/man/man1/.nvidia-current-#settings.1.lzma': it is whitelisted.
#[20:12:20] Info: Found hidden file '/usr/share/man/man1/.nvidia-current-#smi.1.lzma': it is whitelisted.
#[20:12:20] Checking for hidden files and directories [ None found #]
*******************************************************************************
#Fin

Tell us which ones you were not able to solve by reading comments in the rkhunter.conf, the man page, the documentation and the rkhunter-users mailing list (archives).

Thank you for your interest in my question.

I am not sure on what to do regarding the output
from the following the messages. Or do I have to
do anything?


***************************************************************
1) Checking for SSH configuration file [ Found ]
[20:12:19] Info: Found SSH configuration file: /etc/ssh/sshd_config
[20:12:19] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[20:12:19] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[20:12:19] Checking if SSH root access is allowed [ Warning ]
[20:12:19] Warning: The SSH and rkhunter configuration options should be the same:
[20:12:19] SSH configuration option 'PermitRootLogin': without-password
[20:12:19] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
*********************************************************************************

In the above "Warning message", the SSH + rkhunter config should be the same.
How do I go about setting them the same? Or do I have to do anthing?

2)
*******************************************************************************
[20:12:19] Info: Found file '/dev/shm/pulse-shm-156129281': it is whitelisted.
[20:12:20] Info: Found file '/dev/shm/pulse-shm-3674716385': it is whitelisted.
[20:12:20] Info: Found file '/dev/shm/pulse-shm-953612535': it is whitelisted.
*******************************************************************************
What does "whitelisted" mean?

3)
***************************************************************************
Performing malware checks
[20:11:45] Info: Starting test name 'malware'
[20:11:45]
[20:11:45] Info: Test 'deleted_files' disabled at users request.

[20:11:45] Info: Test 'hidden_procs' disabled at users request.
[20:11:45]
[20:11:45] Info: Test 'suspscan' disabled at users request.
*****************************************************************************
As far as I am aware, I have not enabled or set anything in rkhunter.
Could the above be a default messages or instructions.

Thanks again for your input, as a newbie just hope the above questions
are not too stupid to ask.

Then you should because rkhunter.conf needs to be adapted to your system before you run 'rkhunter --propupd'.

Before you do that please read the README and the comments in the rkhunter.conf because they explain a lot and John and I didn't put them there for nothing. Your questions aren't stupid (not asking would be) but having a wee bit of knowledge about he tools you run and having self-reliance goes a long way. In the case of RKH the rkhunter-users mailing list archives are also chock-full of FAQ as we advertise that mailing list as our primary point of information. RKH detected you run SSH granting root access (PermitRootLogin = without-password) which is a huge mistake. Do reset that back to the /etc/ss/sshd_config default of "no".

Thank you Sir for your help - most appreciated.

Will start my research straight away - that was
my mistake, not reading the information before
I started RKH.

Again, my thanks for your input.

Sorry to come back to you on this subject unSpawn, but
still cannot get to grips with the following messages.

Took your advice and have spent all day reading up and
trying to configure the following files:- ssh_config - sshd_config
Have tried endless ways, but keep getting the following "Warning" message.
Just can't get the two files to match. Should the option be set to "Yes" in
both files, or am I wrong again.

Please, what does SSH_PROT_V1 set to '0' mean?

I wonder if you could point me in the right direction again please.

************************************************************************
[19:58:47] Checking for SSH configuration file [ Found ]
[19:58:47] Info: Found SSH configuration file: /etc/ssh/sshd_config
[19:58:47] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[19:58:47] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[19:58:47] Checking if SSH root access is allowed [ Warning ]
[19:58:47] Warning: The SSH and rkhunter configuration options should be the same:
[19:58:47] SSH configuration option 'PermitRootLogin': without-password
[19:58:47] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
[19:58:48] Checking if SSH protocol v1 is allowed [ Not allowed ]
******************************************************************************

Hope the topic is not closed, if not, thanks for looking

No need in saying that. After all we are linuxquestions.org.


The SSH protocol comes in two versions: the current default version 2 and the deprecated version 1. You should not ever enable SSH protocol version 1 unless you have known issues with (legacy) clients that can not be solved in other ways. SSH_PROT_V1=0 is the default.


/etc/ssh/sshd_config currently allows four values for the "PermitRootLogin" directive (man sshd_config). The sane default is "No" as any root account logins over any untrusted network are considered a security risk. The value "without-password" is only needed if you really need to login as root using pubkey auth but not password. If you do not need it please set it to "No". Else see if setting "ALLOW_SSH_ROOT_USER=without-password" in your rkhunter.conf works for you.

1 members found this post helpful.

Just thought I would let you know, my hic-cup with rkhunter
has now been resolved.

My problem was right at the end of the sshd_config file under the
examples info.
I had missed the last message where the # had been unchecked,
it had also been set to 'no' which I think caused the conflict
between SSH & rkhunter files.

Below is the setting I have now which has removed the
'Warning' message in rkhunter.log

++++++++++++++++++++++++++++++++++++++++++++++++++
SSHD_config - end of the file - if you notice, the
PermitRootlogin without-password is repeated. Not sure if
this is correct, or I have in error and set it this way.
+++++++++++++++++++++++++++++++++++++++++++++++++++++
**********************************************************
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
# PermitRootLogin without-password
# PermitRootLogin without-password
****************************************************************
Hope the above will help someone.
Thanks also to unSpawn for his help.
N.B.
With my above hic-cup I did uninstall and reinstall rkhunter.

Tried with the latest version, but that came back with more
error messages, also recorded that the xzibit rootkit was present.
This is covered in the rkhunter mail lists/forums.

Thanks again to LinuxQuestions