'rkhunter' - Notes

Allowing inetd services in rkhunter;

Scan Warning:

Performing trojan specific checks
 Checking for enabled inetd services [ Warning ]

 

rkhunter.conf addition:

INETD_ALLOWED_SVC=swat
INETD_ALLOWED_SVC=ident
INETD_ALLOWED_SVC=imap2
INETD_ALLOWED_SVC=imaps
INETD_ALLOWED_SVC=pop-3

 

Allowing UID 0 accounts;

Scan Warning:

Performing group and account checks
 Checking for root equivalent (UID 0) accounts [ Warning ]

rkhunter.conf addition:

UID0_ACCOUNTS="toor"

 

Allowing SSH root login;

Scan Warning;

Performing system configuration file checks
 Checking if SSH root access is allowed [ Warning ]

rkhunter.conf adition:

ALLOW_SSH_ROOT_USER=yes

 

Allowing hidden files and folders;

Scan Warning:

Performing filesystem checks
 Checking for hidden files and directories [ Warning ]

rkhunter.conf:

ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENDIR=/dev/.static
ALLOWHIDDENDIR=/dev/.initramfs
ALLOWHIDDENDIR=/etc/.git

ALLOWHIDDENFILE=/etc/.etckeeper
ALLOWHIDDENFILE=/etc/.gitignore

 

Allowing symbolic links

Scan warning:

Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'

rkhunter.conf

ALLOWHIDDENFILE="/dev/.initramfs" # This only works in rkhunter version 1.4.0 onwards!

 

Allowing script files

Scan Warning:

Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script, ASCII text

rkhunter.conf:

SCRIPTWHITELIST=/usr/bin/unhide.rb

 

Allow old application versions

Scan Warning:

 Checking application versions...
  Checking version of PHP [ Warning ]

rkhunter.conf

APP_WHITELIST="php:5.2.4 sshd:4.7p1"

 

Whitelist network application for all ports, or specific ports

Scan Warning:

Warning: Network TCP port 47107 is being used by /usr/lib/dovecot/imap-login. Possible rootkit: T0rn Use the 'lsof -i' or 'netstat -an' command to check this.

rkhunter.conf

PORT_WHITELIST="/usr/lib/dovecot/imap-login"
PORT_WHITELIST="/usr/sbin/squid TCP:8118 TCP:3128"
PORT_WHITELIST="* TCP:22 TCP:80 TCP:443 TCP:8080"

---