LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-29-2015, 11:37 PM   #1
rbheiss
LQ Newbie
 
Registered: Oct 2015
Posts: 2

Rep: Reputation: Disabled
rkhunter warnings - Should I be concerned and if so how so I fix this?


I just downloaded and ran rkhunter on OpenSuse 13.2 in the XFCE desktop and got these warning messages:

Checking for prerequisites [ Warning ]
/usr/sbin/ifup [ Warning ]
/usr/bin/chkconfig [ Warning ]
/usr/bin/egrep [ Warning ]
/usr/bin/fgrep [ Warning ]
/usr/bin/ldd [ Warning ]
Checking for passwd file changes [ Warning ]
Checking for group file changes [ Warning ]
Checking if SSH root access is allowed [ Warning ]
Checking if SSH protocol v1 is allowed [ Warning ]
Checking for running syslog daemon [ Warning ]
Checking for hidden files and directories [ Warning ]

Am I screwed or how can I fix the problems claimed to be affecting my system? I'm pretty new to Linux these days. I remember the old days prior to Slackware but it's all new to me again with modern twists because I got lazy and used Windows too long. Heck, I started on Plato back in 1973 and so much has changed!

Any help for a 50 year young guy would be appreciated!

Thanks,

Rolland
 
Old 10-30-2015, 02:02 AM   #2
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 17,439

Rep: Reputation: 2591Reputation: 2591Reputation: 2591Reputation: 2591Reputation: 2591Reputation: 2591Reputation: 2591Reputation: 2591Reputation: 2591Reputation: 2591Reputation: 2591
Quote:
I just downloaded and ran rkhunter
so you did not use the version that is already in the suse repos

Code:
zypper se rkhunter

Loading repository data...
Reading installed packages...

S | Name     | Summary                                                          | Type   
--+----------+------------------------------------------------------------------+--------
 i | rkhunter | Rootkit Hunter Scans for Rootkits, Backdoors, and Local Exploits | package
did you read the manual ???
Code:
man rkhunter
did you read the opensuse wiki page ?
https://en.opensuse.org/Rootkit_Hunter
did you set up the database and then run a "update" , to update the rules ?

Code:
su -
rkhunter --propupd --pkgmgr rpm

rkhunter --update
 
Old 10-30-2015, 07:29 AM   #3
rbheiss
LQ Newbie
 
Registered: Oct 2015
Posts: 2

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by John VV View Post
so you did not use the version that is already in the suse repos
Thanks for your helpful reply John. No, I didn't use the version already in the repos at first. I tried to install it from the web but the install failed. It was only then that I searched for the program in the SUSE repos and installed it from there.

Take care,

Rolland
 
Old 10-30-2015, 09:53 AM   #4
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070

Rep: Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897
I had expected something more, well, verbose from Rkhunter, are you sure that is all the detail it provided and have you turned the verbosity up to maximum (whatever that takes)? anyway...

Quote:
I just downloaded and ran rkhunter on OpenSuse 13.2....
First problem (and its not your problem): If you want to be that little bit paranoid about security - and you should - you should really run Rkh before doing anything else. Given that it isn't on the openSUSE install disk (last time I checked), you can't; you have to connect to the network, and you have to grab it via Yast/Zypper, etc.

This is important because you want to run it on a pristine, clean, system before making any updates, and use that as a reference (the appropriate switch is documented in the man page). This reference is then used to say 'if there are any changes - deltas to the original reference system - have they occurred as a result of deliberate, known, explicitly requested, updates, or is there some unknown thing causing them? If answer = 'unknown thing', then worry.

If there is any chance that someone makes a change before you capture the reference state, then that is bad, as that change will be under the radar, for all time (or, at least, 'till a re-install). This is why getting that snapshot early is vital. And that's what I need to complain to them about.

(After that, when you make a deliberate update, that changes the reference system, but you capture a new reference state, but only when you have made sure that you understand what has gone on.)

OK, that said...

Quote:
Checking for prerequisites [ Warning ]
/usr/sbin/ifup [ Warning ]
/usr/bin/chkconfig [ Warning ]
/usr/bin/egrep [ Warning ]
/usr/bin/fgrep [ Warning ]
/usr/bin/ldd [ Warning ]
Is that all the detail that you've got? ifup is probably called out because either
  • you are using nm/wicd in its stead
  • you have a link to ifup
Both of which could be suspicious, but practically aren't (assuming that you know what is going on, and it is all deliberate on your part).

I think egrep/fgrep and ldd are used by Rkh, and it is a link to those (which could be misdirection to a 'tricked up' executable that does something bad) which is causing suspicion. Check any link points to a sensible place, and that the executable there is the one known to, eg, yast. Anything else would trigger real suspicions. (Although there is a 'brute force and ignorance' way of dealing with this, which is to use, eg, Yast to overwrite these executables and ensure that the location that Yast has just used is the one pointed to by the links. Not a pretty way of dealing with it, but at least you are sure...or sure-ish.)

Quote:
Checking for passwd file changes [ Warning ]
Checking for group file changes [ Warning ]
You have probably added a user or changed a password. Not a problem if you can pinpoint the exact action that caused it, otherwise suspicious.

Quote:
Checking if SSH root access is allowed [ Warning ]
Checking if SSH protocol v1 is allowed [ Warning ]
If you don't need ssh, disable it. If you do
  • root ssh is dangerous and unnecessary; disable
  • ssh protocol v1 is obsolete and buggy (vulnerable) and can be disabled in the config file; I can't see any reason for not disabling V1, these days, and would be a bit surprised if V1 = disabled (or whatever the exact invocation is) isn't the openSUSE default

Quote:
Checking for running syslog daemon [ Warning ]
Checking for hidden files and directories [ Warning ]
Would need more detail, but I have a suspicion that the syslog daemon thing may be due to the changes (various things change names) with systemd. The hidden files and directories; well, it is absolutely normal for there to be some, so you'd have to review exactly what it found suspicious in order to progress from there (inevitably, there will be a big list, to most of which you will respond 'Of course!', but are there any others? Are there unexplained ones?)
 
Old 10-30-2015, 11:10 AM   #5
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
What you should be concerned about is clearly identified in /var/log/rkhunter.log
Have a look.

Last edited by Habitual; 10-30-2015 at 04:31 PM.
 
Old 10-31-2015, 06:41 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,406
Blog Entries: 55

Rep: Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578
Quote:
Originally Posted by rbheiss View Post
I'm pretty new to Linux these days. I remember the old days (..) so much has changed!
Next to what Habitual pointed to, one thing that hasn't changed since the old days is the power of documentation: the README, FAQ will point you to most things you want to know about and where you can find more nfo.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
rkhunter warnings metzenx Linux - Security 6 12-30-2013 01:52 PM
rkhunter warnings....how do I fix these...5 of them cbjhawks Linux - Security 6 12-31-2011 10:19 AM
rkhunter warnings qwertyjjj Linux - Security 1 04-28-2011 04:05 AM
Tiger warnings about avahi-daemon - should I be concerned? mark_alfred Linux - Security 5 04-30-2009 11:20 AM
rkhunter warnings adityavpratap Slackware 15 02-24-2007 07:11 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration