On Monday 10 July 2006 23:05, Colin J Thomson - G6AVK wrote: > On Monday 10 July 2006 19:39, Nigel Henry wrote: > > This is the first time I've used rkhunter, so am a bit in the dark, and > > there ain't much documentation for it. > > There isn't but the the mail list, all be it quite seems helpful,
Hi Colin, and the list. Eureka! Job done. Sendmail wasn't it. I normally go through the running services list on my installs, and disable stuff that I don't use. I don't specifically use sendmail, and had read that it's not easy to set up, so disabled it. I did not realise that it was already setup to deal with local mail. Just for kicks I started sendmail, not expecting anything. Clicked on Kmails check mail, and nearly fell out of my chair when 227 messages appeared in an instant, going back to last November. There were 2 entries from rkhunter, and a returned mail for when I tried to use the default "[EMAIL PROTECTED]" instead of "[EMAIL PROTECTED]" > > > The FC2 install is from the 1.2.8 tarball. This has created the rkhunter > > shellscript in /usr/local/bin, and a directory named rkhunter in > > /usr/local. This directory has 3 subdirectories in it. bin, etc, and lib. > > Lib has further subdirectories, and amongst other things contains the db > > files. Bin, and etc are empty directories. The only other file I can > > find for rkh is > > in /usr/local/etc, and is rkhunter.conf. > > > > Couple of questions on this file. > > > > 1. Does the shellscript in /usr/local/bin/rkhunter refer to this config > > file when it runs. > > Yes, on my system it is in /etc but I used the Fedora rpms, perhaps you > should try that, mixing source and RPM's is not good ;) FC5 is the only distro that I've installed from rpm, which was available from extras-development, and as default runs rkhunter from a cron job, and keeps a log. On FC!, and FC2 I've used the 1.2.8 tarball, and at the moment have to run it manually. > > > 2. I do get some MD5 checks showing as bad, so mail should be sent. How > > do I configure the bit of the file shown below? > > I had seen this on FC2, have you run the rkhunter updater?? on this system > it is run as a cron job, Automatically updates then scans then Emails me > the results.. Yes I have run the updater. > > > # Send a warning message to the admin when one or more warnings > > # are available (rootkit and MD5 check). Note: uses default `mail` > > # commmand to send the warning message. > > [EMAIL PROTECTED] (have uncommented this, but it still doesn't > > work) > > Well, I left mine at the default which sends to "Root" > > [EMAIL PROTECTED] > > As a note I also have a config file in /etc/sysconfig/rkhunter Yes. I checked on that, and I have too. > > > I'm not trying to be a total ignoramus here, but is "[EMAIL PROTECTED]" > > interpreted by rkhunter to automatically send warning messages to > > /var/spool/mail, or should I be changing this, and if so, to what? > > If it does actually say "[EMAIL PROTECTED]" change it to "[EMAIL PROTECTED]" > > To be honest Nigel Ihave not tweaked much in the .conf file, except > ALLOWHIDDENDIR=/dev/.udevdb > > Not much help to you, lets see if anyone on the mail list can help > > Cheers, > > -Colin Thanks for your help, and the list's. Nigel. btw. Rkhunter on FC5 is showing an all clear. Is there a way to test it, and to get it to email me? I thought I saw on the freshmeat site 2 rootkits, along with the rkhunter tarball, and presume these were for non invasive testing purposes, but can't find the page now. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
