Security Scan help

mike2010 · 04-14-2009, 06:40 PM

Could I get some help with my Security Scan. It seems to show quite a few bad things.

every small amount of input is appreciated.

The usr/bin stuff I never messed around with manually. So I dont know why im getting those Warnings. Maybe because I have Plesk on the server ?

Quote:

[19:14:29] /usr/bin/GET [ Warning ]
[19:14:29] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable

[19:14:29] /usr/bin/groups [ Warning ]
[19:14:29] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable

[19:14:30] /usr/bin/ldd [ Warning ]
[19:14:30] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable

[19:14:30] /usr/bin/passwd [ OK ]
[19:14:30] Info: Found file '/usr/bin/passwd': it is whitelisted for the 'file immutable-bit' check.

[19:14:32] /usr/bin/whatis [ OK ]
[19:14:32] Info: Found file '/usr/bin/whatis': it is whitelisted for the 'script replacement' check.

[19:14:32] /sbin/ifdown [ Warning ]
[19:14:32] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable

[19:14:32] /sbin/ifup
[ Warning ]
[19:14:33] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable

[19:15:08] Checking '/etc/xinetd.d/ftp_psa' for enabled services [ Warning ]

[19:15:09] Checking '/etc/xinetd.d/poppassd_psa' for enabled services [ Warning ]

[19:15:09] Checking '/etc/xinetd.d/smtp_psa' for enabled services [ Warning ]
[19:15:09] Checking '/etc/xinetd.d/smtps_psa' for enabled services [ Warning ]
[19:15:09] Checking '/etc/xinetd.d/submission_psa' for enabled services [ Warning ]

[19:15:16] Checking for hidden files and directories [ Warning ]

[19:15:16] Warning: Hidden directory found: /dev/.udev

[19:15:16] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression

unSpawn · 04-15-2009, 02:59 AM

Have your distro's package manager or filesystem integrity checker verify the entities are as installed, then check your rkhunter.conf for the script whitelisting options?

mike2010 · 04-15-2009, 05:27 PM

Quote:

Originally Posted by unSpawn

Have your distro's package manager or filesystem integrity checker verify the entities are as installed, then check your rkhunter.conf for the script whitelisting options?

huh?

Does anything stick out as a possible security risk ? I have SSH access allowed only per my IP. And always keep up to date with server / firewall updates.

maybe those warnings are just for the super paranoid to stress about ?

unSpawn · 04-15-2009, 06:17 PM

Quote:

Originally Posted by mike2010

Does anything stick out as a possible security risk ? I have SSH access allowed only per my IP. And always keep up to date with server / firewall updates.

Even though it's nice to see you have implemented IP restrictions and have the discipline to keep up to date, I'm not given to guessing about risks and especially not based on only this. Therefore I'd rather present you with a fishing rod rather than fish. That way you can make certain things are as they should be.

Quote:

Originally Posted by mike2010

maybe those warnings are just for the super paranoid to stress about ?

Even though it may be a known false positive and nothing to "stress" about I don't care for discussing opinions or labels like "super paranoid". I'd rather make certain and get things over with. Way more efficient.