I have a proxy server, a GNU/Linux Debian 8.1 64bits with installed 
Squid 3.4.8-6+deb8u3 and Rkhunter 1.4.2-0.4, both installed via the 
packet manager.

As check I run "rkhunter --check --enable all --disable none --rwo", 
sometimes it gives me some warnings about some possible rootkit checking 
a network port used by /usr/sbin/squid, that is the proxy. I have 
iptables in action and the input is permitted only if toward the proxy 
server port or any other only if established or related, more, if I 
repeat the check after some time it gives me no warning at all.

They seems this bug already reported for SME Server and it seems they 
have already resolved these warnings: 

I think they are just false positive, and they are given to me because 
sometimes squid uses the ports checked by rkhunter, what do you think 
about? Have I to worry about these warnings? If I have not to worry 
about, and actually they are false positives, is there a way to minimize 
these false positives without to compromise rkhunter scan reliability?


Andrea Boccaccio

Rkhunter-users mailing list

Reply via email to