RKHunter Hidden Ports

At work I received some rkhunter emails from a server:

    Warning: Hidden ports found:
             Port number: TCP:732

Digging into the report led to unhide-tcp. Searching the web indicated that nobody on the planet knows how to deal with this problem other than rebooting. Yes. The famous Linux operating system that does not need rebooting. Not a gratifying option on a production server.

Reading the comments in rkhunter.conf, this test may be disabled by adding the hidden_procs parameter in the DISABLE_TESTS option. Except in my case, rkhunter continued running the hidden port test.

More digging revealed the desired option is hidden_ports and not hidden_procs.

I am reconsidering our use of rkhunter. Browsing the web indicates that false positives are a serious problem with the tool. To be fair, the root cause of this problem is unhide-tcp. Yet configuring rkhunter requires so many exceptions that I wonder about the benefits. A competent person designing a root kit for a Linux system would neutralize rkhunter.

Posted: Category: Usability Tagged: General

Next: LibreOffice Draw Spastic Toolbars

Previous: Windows Shortcuts