Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: wjhobbs on January 06, 2008, 03:57:01 PM
-
This question seems to be related to, but different from, http://forums.contribs.org/index.php?topic=39594.0
Update: I see that the "suspicious content" messages are related to http://forums.contribs.org/index.php?topic=39569.0 which has been documented in bug http://bugs.contribs.org/show_bug.cgi?id=3713. However, there are still the "listening on the network" messages and the "possible promiscuous interfaces" messages (not to mention the "spamassassin not a valid service name" message at the bottom). It is possible that these are a result of the no longer installed openvpn-bridge. If so, the question is how do I adjust things so the issues identified are no longer there??
Since updating to 7.3 a couple of days ago I started getting rkhunter messages like the following:
/etc/cron.daily/01-rkhunter:
Warning: File '/tmp/sess_4dba2127f26bcef153757cc92f73a279' (score: 275) contains some suspicious content and should be checked.
Warning: File '/tmp/sess_6e32a4eb8526d7fe00612e38e0804e5b' (score: 286) contains some suspicious content and should be checked.
Warning: File '/tmp/sess_0978a97955a3e97a7a003ce340a25a5f' (score: 221) contains some suspicious content and should be checked.
Warning: File '/tmp/sess_0ed7344f6235e041f14ba31e6d8f4811' (score: 221) contains some suspicious content and should be checked.
Warning: File '/tmp/sess_e17757b193fdb17c4f5294ef5addc750' (score: 221) contains some suspicious content and should be checked.
Warning: Possible promiscuous interfaces:
'ifconfig' command output: UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
'ip' command output: eth0
Warning: Process '/sbin/pppoe' (PID 4022) is listening on the network.
Warning: Process '/sbin/pppoe' (PID 4022) is listening on the network.
Warning: Process '/usr/libexec/mysqld' (PID 5255) is listening on the network.
Warning: The SSH and rkhunter configuration options should be the same:
SSH configuration option 'PermitRootLogin': yes
Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
Warning: SSH protocol v1 has been enabled in the SSH configuration file (/etc/ssh/sshd_config).
Warning: Suspicious file types found in /dev:
/dev/shm/suspscan.30632.strings: ASCII text
/dev/shm/suspscan.2906.strings: ASCII text, with very long lines
/dev/shm/suspscan.7147.strings: ASCII text
/dev/shm/suspscan.9341.strings: ASCII text
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
/etc/cron.daily/sa_update:
'spamassassin' is not a valid service name
Prior to the 7.3 upgrade, I attributed the rkhunter messages to the fact that I had openvpn active and that I allowed local SSH access. This is what I used to get.
/etc/cron.daily/01-rkhunter:
Scanning for promiscuous interfaces... [ Warning! ]
Warning! Found promiscuous interface. Please check the logfile.
Checking for allowed root login... Watch out Root login possible. Possible risk!
Checking for allowed protocols... [ Warning ]
-----------------------------------------------------------------
Found warnings:
[04:02:41] Checking network interfaces (promiscuous mode)... [ WARNING ]
[04:03:15] Warning: root login possible. Change for your safety the 'PermitRootLogin'
-----------------------------------------------------------------
I had smeserver-openvpn-bridge installed but no longer need it, so I removed the package hoping it would resolve these issues. But no luck.
Could anyone suggest what the issues are and how to deal with them.
Thanks.
John
-
I have been getting the exact same messages (with 7.3) also. The files in /tmp are owned by www, and it appears that they are some sort of config file dumps from Horde. I am also now getting the following error messages:
Warning: The following processes are using deleted files:
Process: smtp-auth PID: 2455 File: /usr/bin/perl.#prelink#
Process: qpsmtpd-f PID: 3867 File: /usr/bin/perl.#prelink#
Everything seems to be working properly though. When I delete the tmp/sess files, they are recreated.
EDIT: I see that there is already a bug report:
http://bugs.contribs.org/show_bug.cgi?id=3713
-
This is how the messages look like at my SME. I must confess, I'm worried:
/etc/cron.daily/01-rkhunter:
Warning: File '/tmp/sess_3f8c965220e8e8c00791c310cb3adaf5' (score: 221) contains some suspicious content and should be checked.
Warning: File '/tmp/sess_95c635fb187de78ec40d2ed56c96fe16' (score: 206) contains some suspicious content and should be checked.
Warning: Users have been added to the passwd file:
cyrulution-64x2$:x:5004:5004:Hostname account for cyrulution-64x2$:/noexistingpath:/bin/false
Warning: Groups have been added to the group file:
cyrulution-64x2$:x:5004:
Warning: Suspicious file types found in /dev:
/dev/shm/suspscan.13605.strings: ASCII text, with very long lines
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
/etc/cron.daily/sa_update:
'spamassassin' is not a valid service name
I deleted the "suspicious" files a few times, but they reappear after a short while.
But ... at least one success. The message
Warning: The SSH and rkhunter configuration options should be the same:
SSH configuration option 'PermitRootLogin': yes
Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
did disappear after I set the 'ALLOW_SSH_ROOT_USER' option to 'yes'
Help!
Cyrus
-
Have a look at http://bugs.contribs.org/show_bug.cgi?id=3713
There has been a lot of activity about this issue - help is on its way!
In the meantime, don't worry.....well, not too much, anyway :-P
Cheers
Ian