[opensuse] RKHunter reports possible infection
Hi all, On my new reinstall of openSuse10.2, I installed rkhunter 1. 28 and updated thru the command line. When I run it in command line, it reports no errors. But when it runs its daily run, it reports the following 2 errors in root email.... ---------- Please inspect this machine, because it can be infected ------------ ----------- running daily cronjob scripts SCRIPT: suse.de-rkhunter exited with RETURNCODE = 1. SCRIPT: output (stdout && stderr) follows Line: Watch out Root login possible. Possible risk! Some errors has been found while checking. Please perform a manual check on this machine ziggy SCRIPT: suse.de-rkhunter ------- END OF OUTPUT SCRIPT: output (stdout && stderr) follows Laying out /etc/preload.d/Firefox Laying out /etc/preload.d/Gimp Laying out /etc/preload.d/Khelpcenter Laying out /etc/preload.d/Mozilla Laying out /etc/preload.d/OpenOffice Laying out /etc/preload.d/boot Laying out /etc/preload.d/cups Laying out /etc/preload.d/gdm Laying out /etc/preload.d/kde Laying out /etc/preload.d/kde.early Laying out /etc/preload.d/kdm Laying out /etc/preload.d/kdm.auto Laying out /etc/preload.d/later SCRIPT: suse.de-update-preload ------- END OF OUTPUT -------------------- Can anyone interpret this for me. I'm at a loss here. I do not get any errors or bad reports when I run rkhunter in command line. But these emails keep coming once a day. TIA, Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 28 May 2007 12:17, Jim Flanagan wrote:
Hi all,
On my new reinstall of openSuse10.2, I installed rkhunter 1. 28 and updated thru the command line.
When I run it in command line, it reports no errors. But when it runs its daily run, it reports the following 2 errors in root email....
---------- Please inspect this machine, because it can be infected ------------
----------- running daily cronjob scripts
SCRIPT: suse.de-rkhunter exited with RETURNCODE = 1. SCRIPT: output (stdout && stderr) follows
Line: Watch out Root login possible. Possible risk! Some errors has been found while checking. Please perform a manual check on this machine ziggy SCRIPT: suse.de-rkhunter ------- END OF OUTPUT
SCRIPT: output (stdout && stderr) follows
Laying out /etc/preload.d/Firefox Laying out /etc/preload.d/Gimp Laying out /etc/preload.d/Khelpcenter Laying out /etc/preload.d/Mozilla Laying out /etc/preload.d/OpenOffice Laying out /etc/preload.d/boot Laying out /etc/preload.d/cups Laying out /etc/preload.d/gdm Laying out /etc/preload.d/kde Laying out /etc/preload.d/kde.early Laying out /etc/preload.d/kdm Laying out /etc/preload.d/kdm.auto Laying out /etc/preload.d/later SCRIPT: suse.de-update-preload ------- END OF OUTPUT --------------------
Can anyone interpret this for me. I'm at a loss here. I do not get any errors or bad reports when I run rkhunter in command line. But these emails keep coming once a day.
Hi Jim, I once use rkhunter too, and I don't see any error in your email.
Line: Watch out Root login possible. Possible risk! It means that your ssh still allows root to login. For better security, we need to disable root login in ssh, by editing /etc/ssh/sshd_config, PermitRootLogin no.
Some errors has been found while checking. Please perform a manual check on this machine ziggy This is I don't now.
-- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 2:31pm up 2:27, 2.6.18.2-34-default GNU/Linux Let's use OpenOffice. http://www.openoffice.org
On Sunday 27 May 2007, Fajar Priyanto wrote:
For better security, we need to disable root login in ssh, by editing /etc/ssh/sshd_config, PermitRootLogin no.
Or not. I don't think that is a universally accepted setup. The only risk to root ssh logins is based on ancient flaws and timing attacks in long obsolete versions of ssh. -- _____________________________________ John Andersen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John Andersen wrote:
I don't think that is a universally accepted setup. The only risk to root ssh logins is based on ancient flaws and timing attacks in long obsolete versions of ssh.
It has other reason - noone can do successfull dictionary attack on root account when it's not allowed to login as root. You can try to rule out this possibility by using strong password, but it might be wiser to restrict root login from trusted IPs or deny it completely (while using strong root password of course). Tosuja -- Petr "Tosuja" Klíma Mail: tosuja@tosuja.info Web: www.tosuja.info ICQ: 52057532 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Petr Klíma wrote:
John Andersen wrote:
I don't think that is a universally accepted setup. The only risk to root ssh logins is based on ancient flaws and timing attacks in long obsolete versions of ssh.
It has other reason - noone can do successfull dictionary attack on root account when it's not allowed to login as root. You can try to rule out this possibility by using strong password, but it might be wiser to restrict root login from trusted IPs or deny it completely (while using strong root password of course).
Tosuja
If for any reason you need to allow plaintext passwords (e.g. the Symbian version of PuTTY only handles plaintext passwords) then this is a very good idea. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGWp6basN0sSnLmgIRAlt+AJ4yl0DG9ta7JK7AWdRAvqYo4pV+nACffLEn zJ5ss9CSKECkKNbd0/Fphok= =4+2d -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 28 May 2007, G T Smith wrote:
Petr Klíma wrote:
John Andersen wrote:
I don't think that is a universally accepted setup. The only risk to root ssh logins is based on ancient flaws and timing attacks in long obsolete versions of ssh.
It has other reason - noone can do successfull dictionary attack on root account when it's not allowed to login as root. You can try to rule out this possibility by using strong password, but it might be wiser to restrict root login from trusted IPs or deny it completely (while using strong root password of course).
Tosuja
If for any reason you need to allow plaintext passwords (e.g. the Symbian version of PuTTY only handles plaintext passwords) then this is a very good idea.
When using ssh, there is no case where plain text passwords are sent over the network. Everything is encrypted. -- _____________________________________ John Andersen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Petr Klíma wrote:
John Andersen wrote:
I don't think that is a universally accepted setup. The only risk to root ssh logins is based on ancient flaws and timing attacks in long obsolete versions of ssh.
It has other reason - noone can do successfull dictionary attack on root account when it's not allowed to login as root. You can try to rule out this possibility by using strong password, but it might be wiser to restrict root login from trusted IPs or deny it completely (while using strong root password of course).
Tosuja
There's nothing to stop someone from logging in as a user and the su to root. My firewall is configured to allow only RSA key SSH access. There is no password to guess. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Petr Klíma wrote:
John Andersen wrote:
I don't think that is a universally accepted setup. The only risk to root ssh logins is based on ancient flaws and timing attacks in long obsolete versions of ssh.
It has other reason - noone can do successfull dictionary attack on root account when it's not allowed to login as root. You can try to rule out this possibility by using strong password, but it might be wiser to restrict root login from trusted IPs or deny it completely (while using strong root password of course).
Tosuja
There's nothing to stop someone from logging in as a user and the su to root. My firewall is configured to allow only RSA key SSH access. There is no password to guess.
I keep my firewall closed to SSH. Have been meaning to set up SSH to work only with keys, but have not gotten around to that. Regarding RKHunter, on previous installs (and when I run it in cl) it gives a much larger and detailed report. However the lines I posted earlier are the ONLY thing it spits out to daily email. This does not look right to me. Two different email, one that says " Please inspect this machine, because it can be infected", and the other with those 2 dozen or so lines. This is much less than what it should be reporting. I'm running rkh 1.28 on another install (suse 10.0) and it reports much more, like the cl does. I don't understand the difference between the two. Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 28 May 2007, Petr Klíma wrote:
John Andersen wrote:
I don't think that is a universally accepted setup. The only risk to root ssh logins is based on ancient flaws and timing attacks in long obsolete versions of ssh.
It has other reason - noone can do successfull dictionary attack on root account when it's not allowed to login as root.
With a properly configured firewall, dictionary attacks are pretty much a non-issue. My firewalls rate limit ssh connection attempts which pretty much stops dictionary attacks in their tracks. Further, even rudimentary mixing of numbers and letters and upper/lower case will foil dictionary attacks. Even if you were silly enough to use your first name as a password, even one upper case letter in an odd place (peTr) would foil all such attacks I have ever seen. You can also use the authorized keys method, (disabling plain text) requiring everyone to have a bit 1024 or 2048 sized key file on every machine they want to log in from. Thats big enough that it forces people to keep the key file lying around on their hard disk, which is less than ideal. I still think no convincing case for limiting root ssh logins has come foreward. -- _____________________________________ John Andersen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
With a properly configured firewall, dictionary attacks are pretty much a non-issue. My firewalls rate limit ssh connection attempts which pretty much stops dictionary attacks in their tracks. .... I still think no convincing case for limiting root ssh logins has come foreward.
I agree with what you said. The only reason why I disable ssh root access is to force myself (and other colleagues) to get use to log in with their normal user and su (if they have the root password) only when they really need it: When remote root ssh was allowed, some people always logged in as root, thinking for instance that compiling software required to be root when actually only the installation really require it. Just to make them more "security-aware" Best regards, Gael -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (7)
-
Fajar Priyanto
-
G T Smith
-
Gaël Lams
-
James Knott
-
Jim Flanagan
-
John Andersen
-
Petr Klíma