Home / ubuntu / Questions / 35399
Accepted
Thomas Ward
Asked: 2011-04-16 21:16:39 +0800 CST

Whitelisting ports for detection in rkhunter

  • 772

I'm trying to figure out in the rkhunter config how I can whitelist the detection of certain ports, such as ports used for IRCds, and other ports which I have for services which run on non-standard ports.

Does anyone know how to configure this so that rkhunter does not throw warnings about detecting the ports I wish to whitelist?

server

2 Answers

  1. Best Answer

    You edit /etc/rkhunter.conf

    # command line
sudo -e /etc/rkhunter.conf

# graphical
gksu gedit /etc/rkhunter.conf

    Under the WHITELIST_PORTS section , add your whitelist. The configuration file has examples.

    # Syntax /full/path/to/binary Protocol:port
# Protocol = TCP / UDP 
# You may use wildcards

PORT_WHITELIST=”/usr/sbin/privoxy TCP:8118″

#for multiple binaries / ports , list them as per the config file
PORT_WHITELIST="/usr/sbin/privoxy /usr/sbin/squid TCP:8118 TCP:3128"

# Alternate
PORT_WHITELIST="* TCP:22 TCP:80 TCP:443 TCP:8080"
    • 5

  2. The response from @Panther is correct. However you can also white-list whole path of executable. Example:

    • White-list all open ports for executable /usr/sbin/squid

    PORT_PATH_WHITELIST=/usr/sbin/squid

    • White-list TCP port 3801 for executable /usr/sbin/squid

    PORT_PATH_WHITELIST=/usr/sbin/squid:TCP:3801

    All this with additional explanation is written in rkhunter.conf file.

    P.S.: I just bumped into this and I feel that somebody can benefit from it in the future.

    • 1