The reason for removing rkhunter is as follows. (..) My sites do not show up.
I can state that (if you got your copy of the version 1.2.8 tarball from a "known good" source and the checksums match) with a certainty close to onehundred percent, RKH can not be the culprit. There is *nothing* in the source of RKH that would (in comparison to say Bastille-Linux) proactively snuff features on your box. It simply is not possible.
after I run the command /sbin/service iptables stop my sites show up again
In contrast to other services "iptables stop" clears the firewall rules and basically sets everything else to ACCEPT (do a "/sbin/iptables -n -L" and you'll see).
I really do not even know if rkhunter is the problem but it was one of two software that I installed just before I started having difficulties.
While you may hate documenting things 0) running a file integrity checker (Aide, Samhain and such) and 1) keeping an admin changelog on the box would definately help you here. Write down any config changes so you don't have to rely on memory. The file integrity checker will pick up changes you forgot to jot down, changes made by updates and changes made by anyone else, all for you to investigate.
Checking /etc/inetd.conf [ Not found ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
- /etc/init.d/boot.local [ Not found ]
On most distro's Inetd was replaced with Xinetd one millennium ago.
The other files are local customisations (/usr/local/etc) or distro specific files.
If you have none of the above according to your distro, and they also do not appear w/o you knowing, then that is OK.
/dev/.udev.tdb /etc/.passwd.swo
/etc/.pwd.lock
/etc/.passwd.swp
/etc/.demousers
/etc/.whostmgrft
/etc/.demodomains
Please inspect: /etc/.passwd.swo (data) /etc/.passwd.swp (data)
The FAQ says:
"Most system directories contain no hidden* directories and files, but there are a few special exceptions. (listing) If you are 100 percent sure a hidden directory/file is valid for your system, add it to the whitelist. See the configuration file for more information."
* dot-files are called "hidden" because one would need to use "extra" flags to see them while listing files.
So. How to determine if these files are valid? You'll usually start with matching the name of the file to it's purpose or package. To verify, use:
- toolkit (stat, fuser, lsof, slocate, man -k),
- visual inspection (vi -R, strings, less),
- system auth, logfiles,
- package management database (rpm -q --whatprovides) and,
- knowledge or shared knowledge, like LQ.
Let's put that to practice: we have file /etc/.x. It's name doesn't ring a bell. While not the "best" method, I'll start by running "file /etc/.x" showing what type of file it is. Next run "fuser /etc/.x", which shows if it's in use. If it is, then query the PID with "lsof -n -i -p (insert PID here)|less" for info on the process. If it's not in use and if it's readable, read it. If it's not use "strings -an1 /etc/.x|less" to try and see if something in the contents looks familiar. If it's not, see if "rpm -q --whatprovides /etc/.x" returns a packagename. If it doesn't run "stat /etc/.x". This gives the modification time (file contents changed) and access time (reading file contents). You can try and correllate the date to activity in the system logs (see /etc/syslog.conf for details) and system auth data ("last|more"), but if contents changed a long time ago and it wasn't recently "read" then it may have been a config/cache/database that was added at install or upgrade time. If nothing of the above works for the file, search / ask at LQ and other sites for info (you could also jump on the RKH mailinglist). (If that doesn't work either then there's a last resort chance and that would be moving the file to another location, reboot the box and see if something goes wrong. Of course you should not do that if it's a production box, if the box is in colo or if you have no means to safely boot and repair the box running say a rescue or LiveCD).
OK. So I didn't add an explanation per file, but I gave you the information you need to practice determining if a file is valid. If unsure after you've tried: post the filename and file details here.
I know the problem has to do with the iptables and the firewall but I am a beginner and I still don't understand what I am doing.
Then maybe it's time to start reading the
IPTables Tutorial. It's quite compact, so maybe only read the basics. Now start your firewall and any app that gives you firewall trouble. Now run "/sbin/iptables-save 2>&1|tee /tmp/iptables_rules_current". The file /tmp/iptables_rules_current now contains all the rules that are loaded.
Make a new thread, give it an appropriate title say like "PSAD denies access to tcp/80" and post the rules in a "code" block.
