6

I'm trying to figure out in the rkhunter config how I can whitelist the detection of certain ports, such as ports used for IRCds, and other ports which I have for services which run on non-standard ports.

Does anyone know how to configure this so that rkhunter does not throw warnings about detecting the ports I wish to whitelist?

Thomas Ward
  • 72,494
  • 30
  • 173
  • 237

2 Answers2

5

You edit /etc/rkhunter.conf

# command line
sudo -e /etc/rkhunter.conf

# graphical
gksu gedit /etc/rkhunter.conf

Under the WHITELIST_PORTS section , add your whitelist. The configuration file has examples.

# Syntax /full/path/to/binary Protocol:port
# Protocol = TCP / UDP 
# You may use wildcards

PORT_WHITELIST=”/usr/sbin/privoxy TCP:8118″

#for multiple binaries / ports , list them as per the config file
PORT_WHITELIST="/usr/sbin/privoxy /usr/sbin/squid TCP:8118 TCP:3128"

# Alternate
PORT_WHITELIST="* TCP:22 TCP:80 TCP:443 TCP:8080"
Panther
  • 100,877
  • 19
  • 193
  • 283
  • well i should have posted to my own question here stating an issue... there actually was a bug in the version I was using many eons ago. Turns out they didnt process the list correctly in that version. 11.04 does not have this bug :P (marked as answer because it does provide the config examples) – Thomas Ward Dec 22 '11 at 22:51
1

The response from @Panther is correct. However you can also white-list whole path of executable. Example:

  • White-list all open ports for executable /usr/sbin/squid

PORT_PATH_WHITELIST=/usr/sbin/squid

  • White-list TCP port 3801 for executable /usr/sbin/squid

PORT_PATH_WHITELIST=/usr/sbin/squid:TCP:3801

All this with additional explanation is written in rkhunter.conf file.

P.S.: I just bumped into this and I feel that somebody can benefit from it in the future.

findmyname
  • 11
  • 1