I checked my system with rkhunter

Flusso_Canalizzatore · May 20, 2023, 8:04am

I didn’t find any other section to post this, so here I am…
I just checked my system with rkhunter and it remind me to a couple possibilities of rootkits and others warnings.
What I have to do now? I mean, what I have to check and/or how to find/remove them?

Thanks in advance.

pebcak · May 20, 2023, 8:26am

Would be good to post what and which for people to review them.

Also, they might be false positives:

https://wiki.archlinux.org/title/Rkhunter#False_positives

Flusso_Canalizzatore · May 20, 2023, 8:35am

A warnings returned for the ssh check for root acces allowing and another for the check of the ssh protocol v1 allowing.
Then, another warnings returned for the check for hidden files and directories and another one after checking for suspicious (large) shared memory segment (for this last one, could it means for ram? I added more module a couple days ago…)

pebcak · May 20, 2023, 8:42am

Personally, I am not familiar with the specifics of rkhunter.
I would however look at /var/log/rkhunter.log and search the www for those warnings while waiting for other members to chime in.

Flusso_Canalizzatore · May 20, 2023, 8:50am

Posting the log here is safe?

What do you suggest to use?

pebcak · May 20, 2023, 8:54am

It should be.
There doesn’t seem to be any personally identifiable information in there.

I haven’t been using any such things for a very long time. I’m afraid I have no suggestions as what to use. Hopefully other users with more insight to such pieces of software would give you some suggestions.

Pudge · May 21, 2023, 1:54am

In the server device, you should try doing this and see if it fixes “ssh check for root access allowing”.
In the server, edit
/etc/ssh/sshd_config
uncomment the PermitRootLogin line and change it to no so that it looks like this.

PermitRootLogin no

As for the enabled ssh V1, in the same config file for your server device, there may be a line as

Protocol 1,2

I believe that at one time when protocol 2 was introduced, this line existed. But I haven’t seen this for a long time.

I checked my server and my /etc/ssh/sshd_config file does not have this line. If you find this line in your config file, either comment it out or change to

Protocol 2

Pudge

manfredlotz · May 21, 2023, 8:26am

rkhunter seems to be old. The latest release seems to be from February 2018. See http://rkhunter.sourceforge.net/

Perhaps lynis is better.

perstreperous · May 21, 2023, 9:29am

I didn’t know lynis, and it is certainly far better than any other root detector.

Fortunately it provides a summary at the end, otherwise the (supposed) non-compliances and deficiencies would be intimidating. The problem with almost all security tools is that they are good at finding problems but bad at stating whether a problem actually matters or not.

In my case all it eventually got worried about was the system clock not being synchronised via ntp for over a day, and there only being one DNS server (mullvad only has one)

Flusso_Canalizzatore · May 23, 2023, 9:54am

I have no server device

Flusso_Canalizzatore · May 23, 2023, 9:58am

I already installed it. The audit show me different problems in the kernel section abour symlinks, ipv4 and stuff like that, but my ignorance suggest to me that it could be some ‘hack’ configuration from Arch. Could it be?

dalto · May 23, 2023, 10:43am

The output from tools like lynis and rkhunter are not always things that you need to fix. They provide insights and identify risks which need need to be analyzed.

If you are running sshd on your PC, it is the “server”.