This question seems to be related to, but different from,
http://forums.contribs.org/index.php?topic=39594.0Update: I see that the "suspicious content" messages are related to
http://forums.contribs.org/index.php?topic=39569.0 which has been documented in bug
http://bugs.contribs.org/show_bug.cgi?id=3713. However, there are still the "listening on the network" messages and the "possible promiscuous interfaces" messages (not to mention the "spamassassin not a valid service name" message at the bottom). It is possible that these are a result of the no longer installed openvpn-bridge. If so, the question is how do I adjust things so the issues identified are no longer there??
Since updating to 7.3 a couple of days ago I started getting rkhunter messages like the following:
/etc/cron.daily/01-rkhunter:
Warning: File '/tmp/sess_4dba2127f26bcef153757cc92f73a279' (score: 275) contains some suspicious content and should be checked.
Warning: File '/tmp/sess_6e32a4eb8526d7fe00612e38e0804e5b' (score: 286) contains some suspicious content and should be checked.
Warning: File '/tmp/sess_0978a97955a3e97a7a003ce340a25a5f' (score: 221) contains some suspicious content and should be checked.
Warning: File '/tmp/sess_0ed7344f6235e041f14ba31e6d8f4811' (score: 221) contains some suspicious content and should be checked.
Warning: File '/tmp/sess_e17757b193fdb17c4f5294ef5addc750' (score: 221) contains some suspicious content and should be checked.
Warning: Possible promiscuous interfaces:
'ifconfig' command output: UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
'ip' command output: eth0
Warning: Process '/sbin/pppoe' (PID 4022) is listening on the network.
Warning: Process '/sbin/pppoe' (PID 4022) is listening on the network.
Warning: Process '/usr/libexec/mysqld' (PID 5255) is listening on the network.
Warning: The SSH and rkhunter configuration options should be the same:
SSH configuration option 'PermitRootLogin': yes
Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
Warning: SSH protocol v1 has been enabled in the SSH configuration file (/etc/ssh/sshd_config).
Warning: Suspicious file types found in /dev:
/dev/shm/suspscan.30632.strings: ASCII text
/dev/shm/suspscan.2906.strings: ASCII text, with very long lines
/dev/shm/suspscan.7147.strings: ASCII text
/dev/shm/suspscan.9341.strings: ASCII text
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
/etc/cron.daily/sa_update:
'spamassassin' is not a valid service name
Prior to the 7.3 upgrade, I attributed the rkhunter messages to the fact that I had openvpn active and that I allowed local SSH access. This is what I used to get.
/etc/cron.daily/01-rkhunter:
Scanning for promiscuous interfaces... [ Warning! ]
Warning! Found promiscuous interface. Please check the logfile.
Checking for allowed root login... Watch out Root login possible. Possible risk!
Checking for allowed protocols... [ Warning ]
-----------------------------------------------------------------
Found warnings:
[04:02:41] Checking network interfaces (promiscuous mode)... [ WARNING ]
[04:03:15] Warning: root login possible. Change for your safety the 'PermitRootLogin'
-----------------------------------------------------------------
I had smeserver-openvpn-bridge installed but no longer need it, so I removed the package hoping it would resolve these issues. But no luck.
Could anyone suggest what the issues are and how to deal with them.
Thanks.
John
3 Replies
3654 Views