On Sat, 2009-12-05 at 12:10 -0500, Tanstaafl wrote: > On 12/5/2009, John Horne ([email protected]) wrote: > >> Again - is there anything special about port 2006 that makes > >> rkhunter single it out? > > > Yes, it is known to be used by the CB and w00tkit rootkits. That's > > why RKH is warning you about it. > > Ah, ok, now that makes sense. Thinking about this, it seems to me that > whitelisting couriertls makes more sense than whitelisting the port. > What do you think? > Personally I only whitelist what is necessary. In this case I would agree, and whitelist 'couriertls' rather then the port.
> > You can either whitelist the port itself (PORT_WHITELIST=TCP:2006), > > or whitelist a particular application to use known bad ports > > (PORT_WHITELIST=couriertls). > > One question - the commented line has quotes around empty contents: > > PORT_WHITELIST="" > > Is this another case of it works either way? Or maybe this time the > gentoo maintainer got it wrong? > The use of PORT_WHITELIST="" is fine (and is the default) and simply means that no ports are whitelisted. The PORT_WHITELIST option is a space-separated list, and so if you are whitelisting more than one port or application, then you may need the double-quotes. All the following are valid: PORT_WHITELIST=couriertls PORT_WHITELIST="couriertls" PORT_WHITELIST=" couriertls " PORT_WHITELIST=TCP:2006 PORT_WHITELIST="TCP:2006" PORT_WHITELIST="couriertls TCP:2006 gpg:7701" and so on. So, several combinations are possible. Basically if an option is a space-separated list, and there is more than one item in the list, then you will need to use the double-quotes. The PORT_WHITELIST option can only be used once, hence all the whitelisted ports must be put on the same line. I have to admit that I am already reconsidering this for some options for the next release. Some options can already be space-separated and occur several times in the config file. We should perhaps extend that to more of the options. It just makes life a bit easier :-) John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
