RKHunter Hidden Ports
At work I received some rkhunter emails from a server:
Warning: Hidden ports found: Port number: TCP:732
Digging into the report led to
unhide-tcp. Searching the web indicated that nobody on the planet knows how to deal with this problem other than rebooting. Yes. The famous Linux operating system that does not need rebooting. Not a gratifying option on a production server.
Reading the comments in
rkhunter.conf, this test may be disabled by adding the
hidden_procs parameter in the
DISABLE_TESTS option. Except in my case, rkhunter continued running the hidden port test.
More digging revealed the desired option is
hidden_ports and not
I am reconsidering our use of rkhunter. Browsing the web indicates that false positives are a serious problem with the tool. To be fair, the root cause of this problem is
unhide-tcp. Yet configuring rkhunter requires so many exceptions that I wonder about the benefits. A competent person designing a root kit for a Linux system would neutralize rkhunter.