3 Open Ports

Archived topics about LMDE 1 and LMDE 2
Habitual

Re: 3 Open Ports

Post by Habitual »

Fred Barclay wrote:Yeah, sorry, I started a new thread a few hours ago about this. I was just letting you know that the link you sent did not show any open ports. :D

But as far as rkhunter itself goes, I do believe that the trouble was my not running the --propupd just as you mentioned. :oops: If you want to look at that thread, it's http://forums.linuxmint.com/viewtopic.p ... 2&t=207441 My last post there will have the log file you requested.

EDIT: Wait...what??? I was responding to a post by you that doesn't seem to be there. :? :lol:
I've been leered at over things like 'this'. Hey, I'm good, but I'm not that good.
Yes, some black stump stuff for sure.
I guess I edited a quoted reply incorrectly, or double-edited sounds about right.
No worries some folks say!!!

Here's the basic text:
You need to always run

Code: Select all

rkhunter --propupd
under any the following conditions
  1. apt-get upgrade
  2. apt-get dist-upgrade
  3. apt-get dist-upgrade
  4. any edit of /etc/rkhunter.conf
from the report, it appears you haven't run

Code: Select all

rkhunter --propupd
and things have greatly changed since it was installed and/or first run.
Would you agree with my estimate?

We can squash most false-positives on Ubuntu-flavored hosts with 2 commands and one insert.
And we can't blindly do that until you (well 'we/me' with you) examine closely what is
generating those Warning:(s)
and that is in /var/log/rkhunter.log

can you pastebin that file before you do anything else with rkhunter?

Code: Select all

cat /var/log/rkhunter.log | pastebin
and give back the short url?

Thank you.
All things will be more clear after the weekend and we are almost there...!!!

Stuff I have left to 'do' after the weekend:

rkhunter
  • Examine /var/log/rkhunter.log
  • Verify Warnings there.
  • Update /etc/rkhunter.conf
  • Update propupd after
  • Re-scan with rkhunter
  • Goal is "No warnings were found while checking the system."
  • Upgrade rkhunter to 1.4.3
  • Rinse.
  • Lather.
  • Repeat.
fix gufw for untrusted WiFi .
  • re-install with purge gufw
  • Pray it works.
Outa here.
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4185
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: 3 Open Ports

Post by Fred Barclay »

Habitual wrote: No worries some folks say!!!
Yeah, I might have said that once or twice myself. 'Course, it usually has a "mate" on the end. :lol:

Sounds good to me. I really appreciate your help. :D
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
Habitual

Re: 3 Open Ports

Post by Habitual »

  • Upgrade rkhunter to 1.4.3

Code: Select all

cd /usr/src/
wget "http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/?view=tar"
mv index.html\?view\=tar rkhunter.tar.gz
tar zxf rkhunter.tar.gz
mv rkhunter rkhunter-1-4-3
cd  rkhunter-1-4-3
./installer.sh --install
rkhunter --update
Stop here.
Have you recently posted the /var/log/rkhunter.log file?
I guess they have a shelf-life?
http://paste.linuxmint.com/view/kj2z says "bugger off" :)

Next step is
edit rkhunter.conf...
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4185
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: 3 Open Ports

Post by Fred Barclay »

Habitual wrote: Stop here.
Have you recently posted the /var/log/rkhunter.log file?
I guess they have a shelf-life?
http://paste.linuxmint.com/view/kj2z says "bugger off" :)
Apparently so. :( I used the "|pastebin" pipe (I have an account but I didn't want to go through the trouble of logging in when this was so much simpler.) Oops! I know better now.

While the current log file says that rkhunter is version 1,4,3 (after following your instructions), rkhunter --version reports 1,4,2. Should I have purged the old version first?
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
Habitual

Re: 3 Open Ports

Post by Habitual »

yeah, the | pastebin is a clever time-saver
You can still remove 1.4.2 AFTER >

Code: Select all

cat /var/log/rkhunter.log | pastebin
using the method you used to install 1.4.2.
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4185
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: 3 Open Ports

Post by Fred Barclay »

Done! rkhunter --version now shows 1,4,3. :)
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
Habitual

Re: 3 Open Ports

Post by Habitual »

Groovy.
Where's the rest?
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4185
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: 3 Open Ports

Post by Fred Barclay »

Sorry--what do you need? The current rkhunter log only has the info of my setting it up. I do have one old log that I believe is the same as the one I pastebined--is that the one you want?
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
Habitual

Re: 3 Open Ports

Post by Habitual »

Fred:
Please run

Code: Select all

rkhunter --update && rkhunter -c -sk  -l /root/rkmanual.log && cat /root/rkmanual.log | pastebin
and paste back the link.
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4185
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: 3 Open Ports

Post by Fred Barclay »

Should I run

Code: Select all

sudo rkhunter --propupd
first?
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
Habitual

Re: 3 Open Ports

Post by Habitual »

Fred Barclay wrote:Should I run

Code: Select all

sudo rkhunter --propupd
first?
NO!
That tells rkhunter that everything on the system is "good".
When we are not sure that it is.
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4185
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: 3 Open Ports

Post by Fred Barclay »

Right. Glad I asked. :lol:

You're probably not going to like this, but anyway

Code: Select all

aussie! fred # rkhunter --update && rkhunter -c -sk  -l /root/rkmanual.log && cat /root/rkmanual.log | pastebin
Unable to find configuration file: /usr/local/etc/rkhunter.conf
If I need to I can copy over a conf file from another machine (Arch) and use that--it's unedited, so it should be the same.
Thanks a lot, Habitual!
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
Habitual

Re: 3 Open Ports

Post by Habitual »

How about we look for one on your drive first? ;)

Code: Select all

sudo find / -name rkhunter.conf -type f
show me this result please.

Also

Code: Select all

grep ^PermitRootLogin /etc/ssh/sshd_config
does that say "no"?

Also is the arch version the same (1.4.3) and its rkhunter.conf in /etc?
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4185
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: 3 Open Ports

Post by Fred Barclay »

Give me a moment to stop and feel stupid... Okay, done. :D

Code: Select all

fred@aussie! ~ $ sudo find / -name rkhunter.conf -type f
/usr/src/rkhunter-1-4-3/files/rkhunter.conf
fred@aussie! ~ $ grep ^PermitRootLogin /etc/ssh/sshd_config
grep: /etc/ssh/sshd_config: No such file or directory

Code: Select all

fred@aussie! ~ $ ls /etc/ssh
moduli  ssh_config
Rkhunter in Arch is 1,4,2.
The log for rkhunter indicates that there is a separate config file for version 1,4,3--I suppose since 1,4,2 was still installed at the time. It's under rkhunter.conf.datecode Do you think I should rename it to rkhunter.conf? (The old config file would have been removed when I used apt-get with the --purge flag to uninstall rkhunter 1,4,2. I'm telling you--today is not my best day!)
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
Habitual

Re: 3 Open Ports

Post by Habitual »

Let's end this: ;)

Code: Select all

vi /usr/local/etc/rkhunter.conf
and add

Code: Select all

LOGFILE=/var/log/rkhunter.log
AUTO_X_DETECT=1
ALLOW_SSH_ROOT_USER=no
ENABLE_TESTS=ALL
DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps
INSTALLDIR=/usr/local
DBDIR=/var/lib/rkhunter/db
SCRIPTDIR=/usr/local/lib/rkhunter/scripts
TMPDIR=/var/lib/rkhunter/tmp
USER_FILEPROP_FILES_DIRS=/usr/local/etc/rkhunter.conf

ALLOWHIDDENFILE=/dev/.initramfs
ALLOWHIDDENFILE=/dev/.blkid.tab
ALLOWHIDDENFILE=/dev/.blkid.tab.old
ALLOWHIDDENDIR=/etc/.java
ALLOWDEVFILE=/dev/.udev/rules.d/root.rules
ALLOWDEVFILE=/dev/.blkid.tab
ALLOWHIDDENDIR=/dev/.udev
SCRIPTWHITELIST=/usr/sbin/adduser
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/bin/which
SCRIPTWHITELIST=/usr/local/etc/rkhunter.conf
APP_WHITELIST="openssl:1.0.1f gpg:1.4.11 sshd:5.9p1"
then run

Code: Select all

rkhunter --checkconfig
if that doesn't barf, issue

Code: Select all

rkhunter --propupd
then

Code: Select all

rkhunter -c -sk
then
have a gander at /var/log/rkhunter.log.

One or 2 little things and this will be done. Done. DONE!
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4185
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: 3 Open Ports

Post by Fred Barclay »

Habitual wrote:Let's end this: ;)

One or 2 little things and this will be done. Done. DONE!
Oh, Habitual. Did you really think it would be this easy? ;)

Code: Select all

aussie! fred # rkhunter --checkconfig
Invalid TMPDIR configuration option: Non-existent pathname: /var/lib/rkhunter/tmp
Invalid DBDIR configuration option: Non-existent pathname: /var/lib/rkhunter/db
The internationalisation directory does not exist: /var/lib/rkhunter/db/i18n
You were aware that /usr/local/etc/rkhunter.conf was empty, right?
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
Habitual

Re: 3 Open Ports

Post by Habitual »

Fred Barclay wrote:
Habitual wrote:Let's end this: ;)

One or 2 little things and this will be done. Done. DONE!
Oh, Habitual. Did you really think it would be this easy? ;)

Code: Select all

aussie! fred # rkhunter --checkconfig
Invalid TMPDIR configuration option: Non-existent pathname: /var/lib/rkhunter/tmp
Invalid DBDIR configuration option: Non-existent pathname: /var/lib/rkhunter/db
The internationalisation directory does not exist: /var/lib/rkhunter/db/i18n
You were aware that /usr/local/etc/rkhunter.conf was empty, right?
Yes, I know. rkhunter told me so. :idea:
are you certain you ran this? >

Code: Select all

./installer.sh --install
as in

Code: Select all

cd /usr/src/
wget http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/?view=tar
mv index.html\?view\=tar rkhunter.tar.gz
tar zxf rkhunter.tar.gz
mv rkhunter rkhunter-1-4-3
cd  rkhunter-1-4-3
./installer.sh --install
I might have to spin up a Virtualbox to kick this thing to the curb.
Exact Mint version/flavor/spin/release please.
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4185
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: 3 Open Ports

Post by Fred Barclay »

I'm absolutely positive, and

Code: Select all

fred@aussie! ~ $ sudo rkhunter --version
[sudo] password for fred: 
Rootkit Hunter 1.4.3
says so too. :lol:

This is Betsy 64-bit Cinnamon. She's a clean install--I did not upgrade from LMDE 201403.

Code: Select all

fred@aussie! ~ $ inxi -Fxz
System:    Host: aussie! Kernel: 4.2-3.dmz.1-liquorix-amd64 x86_64 (64 bit gcc: 4.9.3) 
           Desktop: Cinnamon 2.6.13 (Gtk 2.24.25) Distro: LinuxMint 2 betsy 
Machine:   System: Gateway product: T-1625 v: 90.02
           Mobo: GATEWAY model: N/A v: Rev1.90.02 Bios: Gateway v: 90.02 date: 08/02/2007
CPU:       Dual core AMD Turion 64 X2 Mobile TL-60 (-MCP-) cache: 1024 KB
           flags: (lm nx sse sse2 sse3 svm) bmips: 8000 
           Clock Speeds: 1: 2000 MHz 2: 2000 MHz
Graphics:  Card: Advanced Micro Devices [AMD/ATI] RS690M [Radeon Xpress 1200/1250/1270] bus-ID: 01:05.0
           Display Server: X.Org 1.16.4 drivers: ati,radeon (unloaded: fbdev,vesa) Resolution: 1280x800@60.00hz
           GLX Renderer: Gallium 0.4 on ATI RS690 GLX Version: 2.1 Mesa 10.3.2 Direct Rendering: Yes
Audio:     Card-1 Advanced Micro Devices [AMD/ATI] RS690 HDMI Audio [Radeon Xpress 1200 Series] 
           driver: snd_hda_intel bus-ID: 01:05.2 
           Card-2 Advanced Micro Devices [AMD/ATI] SBx00 Azalia (Intel HDA) driver: snd_hda_intel bus-ID: 00:14.2 
           Sound: Advanced Linux Sound Architecture v: k4.2-3.dmz.1-liquorix-amd64
Network:   Card-1: Realtek RTL8101/2/6E PCI Express Fast/Gigabit Ethernet controller
           driver: r8169 v: 2.3LK-NAPI port: a000 bus-ID: 08:00.0
           IF: eth0 state: down mac: <filter>
           Card-2: Realtek RTL8187B Wireless 802.11g 54Mbps Network Adapter usb-ID: 001-003
           IF: N/A state: N/A mac: N/A
Drives:    HDD Total Size: 250.1GB (15.2% used) ID-1: /dev/sda model: Hitachi_HTS54252 size: 250.1GB temp: 31C
Partition: ID-1: / size: 133G used: 31G (25%) fs: ext4 dev: /dev/sda1 
           ID-2: swap-1 size: 5.24GB used: 0.00GB (0%) fs: swap dev: /dev/sda3 
Sensors:   System Temperatures: cpu: 55.0C mobo: N/A 
           Fan Speeds (in rpm): cpu: N/A 
Info:      Processes: 203 Uptime: 8:21 Memory: 1899.9/2570.1MB Init: SysVinit runlevel: 2 Gcc sys: 4.9.2 
           Client: Shell (bash 4.3.301) inxi: 2.1.28 
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
Habitual

Re: 3 Open Ports

Post by Habitual »

downloading http://tor-relay.cs.usu.edu/mirrors/lin ... -64bit.iso
Take a break. I am. Even good techies have to eat.
Last edited by Habitual on Mon Oct 19, 2015 6:29 pm, edited 1 time in total.
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4185
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: 3 Open Ports

Post by Fred Barclay »

No worries, mate. I really appreciate your help, but please don't feel pressured! Take as much time as you need/want.

I'm going to follow your original instructions on my Arch build (removing the current rkhunter first) and see what happens.
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
Locked

Return to “LMDE Archive”