LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 09-25-2009, 04:24 AM   #1
tsuchan1
LQ Newbie
 
Registered: Sep 2009
Posts: 4

Rep: Reputation: 0
Question rkhunter: whitelisting inetd services - talk, ntalk, ident


Hi...

I've been trying to make exceptions to suppress these rkhunter warnings, so far without success:

Quote:
Warning: Found enabled inetd service: talk
Warning: Found enabled inetd service: ntalk
Warning: Found enabled inetd service: ident
My best research was that these files may need to be excepted:

/usr/sbin/in.ntalkd
/usr/sbin/in.talkd
/usr/sbin/identd

so I added to /etc/rkhunter.conf:

Code:
INETD_ALLOWED_SVC=/usr/sbin/in.ntalkd
INETD_ALLOWED_SVC=/usr/sbin/in.talkd
INETD_ALLOWED_SVC=/usr/sbin/identd
and ran rkhunter again. But it still gives the same warnings.

If the information helps, the program I believe is using these services is 'utalk', and I'm running it under Debian Linux.

Can anybody tell me the exceptions I need to add to suppress the warnings?

Thanks

- tsu'
 
Old 09-26-2009, 05:10 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603
I think you better report this on the rkhunter-users mailing list or else add a ticket in our bug tracker at Sourceforge.
 
Old 09-26-2009, 11:55 AM   #3
tsuchan1
LQ Newbie
 
Registered: Sep 2009
Posts: 4

Original Poster
Rep: Reputation: 0
Ok, I'll do that. (^_^)
Thanks for your advice.
 
Old 09-30-2009, 09:57 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603
Quote:
Originally Posted by tsuchan1 View Post
Ok, I'll do that.
It's been four days now and I haven't seen a useradd request for the rkhunter users mailing list or a new ticket in our bug tracker. Are you one of those that say they will but then don't do anything?
 
Old 09-30-2009, 11:23 AM   #5
tsuchan1
LQ Newbie
 
Registered: Sep 2009
Posts: 4

Original Poster
Rep: Reputation: 0
Sorry

Umm, no... it's just that my post to LinuxQuestions.org was looking for advice on what I might have been doing wrong, after I had made my best efforts and failed. You suggested raising a bug request, which I take as a serious matter, and wanted to run it past the sys admin who gives me occasional help on the box before passing the chance of raising a bug that might still be my user error.

But I'm sorry - I really hadn't guessed that you would waiting in anticipation of my bug report... I thought my process deliberations would be "too much information". Anyway, I can give an update...

The process I followed immediately before raising this ticket was:
  • Made the changes described above (and others)
  • Re-ran the daily cron, and received exactly the output pasted above
But the next morning, the cron ran automatically and returned only:
Quote:
Warning: Found enabled inetd service: ident
so I was a bit confused by that... other changes I'd made (eg. changing PermitRootLogin setting) had taken effect in the e-mail I triggered manually, so [rhetorical:] had something happened overnight to flush the rest of the settings, or had I made some mistake?

If I raised a bug at this moment, it would be:
  • rkhunter appears not to change all settings immediately the .conf file is updated
  • rkhunter appears not to exclude the inet service "ident" at all.

But as someone who is unaccomplished in Linux, I reasoned that I needed to take advice locally before potentially embarrassing myself and inconveniencing others.

I will raise a bug after I've had my actions reviewed, if they're confirmed; or write another update to this thread if it turns out to have been a fault of my own. But in may be a couple of weeks - the sys admin who can review my steps can only spare me occasional time.

All the best
- tsu'
 
Old 09-30-2009, 03:02 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603
Ah, OK, I see. Thanks for the update. The reason I asked is because we're in the process of finalizing RKH 1.3.6 for release so I'd like to fix all bugs we can Real Soon Now. If it indeed is a bug but I don't have any machines running identd to check on, nor have I seen any related errors on the list. I'd appreciate it if you let us know what you findings are. Thanks in advance!
 
  


Reply

Tags
inetd, rkhunter, whitelist


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How do I determine which servers in Slack 11 are monitored by inetd / inetd.conf Old_Fogie Slackware 2 11-25-2006 01:06 PM
LXer: Google Talk opens up to GAIM, other IM services LXer Syndicated Linux News 0 01-18-2006 10:01 PM
inetd stop services alaios Linux - Networking 1 10-22-2004 12:26 AM
Purpose of /etc/services for non inetd sfwalter Linux - Networking 1 10-15-2004 12:34 PM
chrooting or jailing inetd or inetd started daemons ? MasterC Linux - Security 2 07-15-2003 05:28 PM


All times are GMT -5. The time now is 01:28 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration