LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 10-19-2013, 05:41 AM   #1
agriz
Member
 
Registered: Nov 2011
Posts: 174

Rep: Reputation: Disabled
Warnings in RKHUNTER


Why does Rkhunter gives a lot of warning?

Code:
rkhunter Daily Run
Code:
Warning: The SSH and rkhunter configuration options should be the same:
         SSH configuration option 'PermitRootLogin': no
         Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': unset
Warning: Suspicious file types found in /dev:
         /dev/.udev/db/block:sda: ASCII text
         /dev/.udev/db/module:nf_nat_ftp: ASCII text
         /dev/.udev/db/module:xt_conntrack: ASCII text
         /dev/.udev/db/module:iptable_mangle: ASCII text
         /dev/.udev/db/module:nf_conntrack_ftp: ASCII text
         /dev/.udev/db/module:ipt_REDIRECT: ASCII text
         /dev/.udev/db/module:iptable_nat: ASCII text
         /dev/.udev/db/module:nf_nat: ASCII text
         /dev/.udev/db/module:xt_owner: ASCII text
         /dev/.udev/db/module:xt_connlimit: ASCII text
         /dev/.udev/db/module:xt_recent: ASCII text
     ...
     ...
....
....
....
....
 
Old 10-19-2013, 06:39 AM   #2
Stuferus
Member
 
Registered: Jun 2013
Location: Germany
Distribution: Slackware
Posts: 132

Rep: Reputation: Disabled
false positive?!
 
Old 10-19-2013, 06:56 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,519
Blog Entries: 51

Rep: Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598
Quote:
Originally Posted by agriz View Post
Why does Rkhunter gives a lot of warning?
Because you haven't:
- read the comments in rkhunter.conf,
- read the README and FAQ that Rootkit Hunter came with,
- searched the rkhunter-users mailing list archive as the README suggests,
- learned from previous threads of yours?..
 
Old 10-19-2013, 08:04 AM   #4
agriz
Member
 
Registered: Nov 2011
Posts: 174

Original Poster
Rep: Reputation: Disabled
Previous thread is different question.

Yes, I don't know much about rkhunter.
But even if i update rkhunter with --propupd, it still gives me warnings.
 
Old 10-20-2013, 06:10 AM   #5
agriz
Member
 
Registered: Nov 2011
Posts: 174

Original Poster
Rep: Reputation: Disabled
I had this same warning in my old server.
I just moved server to new one.

I changed most my scripts.
I have only uploaded 20% of news scripts and working on with other scripts to modify them.

Again rkhunter is telling that "this system is infected".
How does it say?
In what way it is infected?
Is it really infected or not?
 
Old 10-20-2013, 08:31 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,519
Blog Entries: 51

Rep: Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598
Quote:
Originally Posted by agriz View Post
Previous thread is different question.
No, this thread deals also with ALLOWDEVFILE.


Quote:
Originally Posted by agriz View Post
Yes, I don't know much about rkhunter.
That's why I pointed you to the comments in rkhunter.conf, the README and the FAQ because you should know what you run.


Quote:
Originally Posted by agriz View Post
But even if i update rkhunter with --propupd, it still gives me warnings.
You're abusing the update feature as a way to get rid of errors. That's not how RKH should be used.


Quote:
Originally Posted by agriz View Post
(..)rkhunter is telling that "this system is infected".
How does it say?
In what way it is infected?
Is it really infected or not?
You rely on the report output while you should be reading the rkhunter.log for details!
 
Old 10-20-2013, 08:55 AM   #7
agriz
Member
 
Registered: Nov 2011
Posts: 174

Original Poster
Rep: Reputation: Disabled
@unSpawn

I am really windows user.
I just maintain the server for my website. I don't have much connection with linux.

I checked the log file.
It keeps mentioning the following files.

Code:
/dev/.udev/db/block:sda: ASCII text
         /dev/.udev/db/module:nf_nat_ftp: ASCII text
         /dev/.udev/db/module:xt_conntrack: ASCII text
         /dev/.udev/db/module:iptable_mangle: ASCII text
         /dev/.udev/db/module:nf_conntrack_ftp: ASCII text
         /dev/.udev/db/module:ipt_REDIRECT: ASCII text
         /dev/.udev/db/module:iptable_nat: ASCII text
         /dev/.udev/db/module:nf_nat: ASCII text
         /dev/.udev/db/module:xt_owner: ASCII text
         /dev/.udev/db/module:xt_connlimit: ASCII text
         /dev/.udev/db/module:xt_recent: ASCII text
..
...
...
...
I installed fedora and installed rkhunter on my computer and it gives the same error there too.
I can't compare windows / mac with linux.
They work different. Linux is quite different and highly highly difficult for new users.

But i don't know why rkhunter is giving error on a new system too.

I am sorry about that last thread.
I saw that thread like rkhunter was not working.
Since rkhunter started to work, i left that thread. Otherwise i would have continued with it.


I did rkhunter --propupd because, I believe the system is clean.
Few lines were # commented in rkhunter.conf file.
I removed that comment so i thought it will stop giving that warning.
I am still facing the warning.
 
Old 10-20-2013, 10:55 AM   #8
agriz
Member
 
Registered: Nov 2011
Posts: 174

Original Poster
Rep: Reputation: Disabled
I did understand few of them in rkhunter.conf file.
I didn't understand some of them.

I made few changes in which i am very sure to make change. I left others to be default.

Now,

Code:
 Allow the specified hidden directories to be whitelisted
How do i know which directories should be whitelisted?

Code:
 Allow the specified hidden files to be whitelisted
Again, how do i know which hidden files should be whitelisted?

Code:
Allow the specified files to be present in the /dev directory
Which files can be present in the /dev and which should not be?

RKHUNTER is almost throwing errors on these files and folders.
So, How do i configure this options to avoid false warning?
 
Old 10-20-2013, 01:32 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,519
Blog Entries: 51

Rep: Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598
Quote:
Originally Posted by agriz View Post
I checked the log file.
It keeps mentioning the following files.

Code:
   /dev/.udev/db/block:sda: ASCII text
         /dev/.udev/db/module:nf_nat_ftp: ASCII text
         /dev/.udev/db/module:xt_conntrack: ASCII text
         /dev/.udev/db/module:iptable_mangle: ASCII text
         /dev/.udev/db/module:nf_conntrack_ftp: ASCII text
         /dev/.udev/db/module:ipt_REDIRECT: ASCII text
         /dev/.udev/db/module:iptable_nat: ASCII text
         /dev/.udev/db/module:nf_nat: ASCII text
         /dev/.udev/db/module:xt_owner: ASCII text
         /dev/.udev/db/module:xt_connlimit: ASCII text
         /dev/.udev/db/module:xt_recent: ASCII text
..
...
...
...
You'll need something like
Code:
ALLOWDEVFILE=/dev/.udev/db/block*
ALLOWDEVFILE=/dev/.udev/db/module*
..
...
...
...

Quote:
Originally Posted by agriz View Post
I am sorry about that last thread. I saw that thread like rkhunter was not working. Since rkhunter started to work, i left that thread. Otherwise i would have continued with it.
If it worked then you at least should have told those trying to help you, post your solution and mark the thread solved.
Should I explain why?


As for your other questions: please see the FAQ, items 3.7 "I have just installed Rootkit Hunter, and I am already getting warning messages. Why is that?" and 6.1 "Common whitelisting examples", post relevant rkhunter.log excerpts and show your proposed rkhunter.conf(.local) changes.
 
Old 10-21-2013, 11:04 AM   #10
agriz
Member
 
Registered: Nov 2011
Posts: 174

Original Poster
Rep: Reputation: Disabled
I apologies.
It is my mistake and that thread is not solved completely.
I just commented one line one rkhunter config which might be causing so much trouble.

That is why i didn't mark it as solved.

I am reading the FAQ sections.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Rkhunter warnings g4ry Slackware 1 12-12-2012 05:11 AM
Rkhunter warnings. scam Slackware 2 09-26-2011 11:30 AM
rkhunter warnings qwertyjjj Linux - Security 1 04-28-2011 04:05 AM
[SOLVED] rkhunter warnings skoinga Linux - Security 1 12-23-2010 10:49 AM
rkhunter warnings jantman Linux - Security 4 01-23-2007 02:39 PM


All times are GMT -5. The time now is 02:42 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration