Re: [Rkhunter-users] False alarms for httpd high numbered ports...
Brought to you by:
dogsbody
From: John H. <joh...@pl...> - 2010-03-26 13:06:00
|
On Fri, 2010-03-26 at 07:42 -0500, Sean Carolan wrote: > >> We've noticed some occasional rkhunter warning emails regarding high > >> numbered ports in use by httpd. Has anyone else experienced this? Is > >> there a way to ignore these? > >> > > Look at whitelisting them with PORT_WHITELIST in your config file. > > What if it's a different, random numbered port each time? I'm not > sure what these are, perhaps outbound connections? > The check is of a local port being used. Look in the config file, it will tell you that you can whitelist the application name instead of the port number if required. As far as I remember the warning message will advise using lsof to check if the port is supposed to be in use or not, so it will be for you to determine if httpd is supposed to be using the port(s) or not. John. -- John Horne Tel: +44 (0)1752 587287 University of Plymouth, UK Fax: +44 (0)1752 587001 |