My understanding is that Rootkit Hunter is optional but strongly recommended. Is that correct? Is there any reason not to run RKH and chrootkit on the same system? RKHunter installs Postfix, which is a bit heavy: Does anyone install another mail transport before RKHunter? Is there some reason related to ISPConfig that we might want Postfix to be the MTA there? Is there any reason why we might want to install Postfix separately in the ISPConfig Mail Server component? Or is it just as good to let rkhunter install Postfix? (The apt-get install of postfix later should be ignored but below I have questions about the configuration.) (Note that if rkhunter is installed during system installation that the Postfix-related notes in Perfect docs are not the same. Someone doing the install should recognize that.) I understand some admins use ISPProtect (for-fee). And there are many other similar applications. But are there any other packages like RKH that are very commonly used or recommended for use with ISPConfig? As an example, ClamAV is commonly used with ISPConfig and it can do file system scanning. Please: I'm not looking for open commentary/anecdotes like "I use this". I'm asking about security software that is not in the Perfect docs, but may be commonly used and/or recommended for ISPConfig. EDIT : Additional questions : Ref the most recent Perfect guide : Section 6 about installing Postfix. Should the exact same Postfix instructions be followed in any system where rkhunter is installed with postfix? And to be very specific, should the specified mail server fqdn reference the actual mail.mydomain.tld? Or, where Postfix is just being added as a MTA/relay, should that be myhost.mydomain.tld? I'm guessing this should be the live/full mail.domain.tld, otherwise, how does it know which server to use for relay? I'm looking for docs on these topics. Links are certainly welcome. Thanks!
I believe it is not strongly recommended, at least it is not recommended any more strongly than other packages. No. That is not actually the case. RKHunger recommends mail-transport-agent, but should work without since it is recommend not depends, and it does not have to be postfix. So if postfix is heavy, install something else. See below: Code: # LANG=C apt depends rkhunter rkhunter |PreDepends: debconf (>= 0.5) PreDepends: <debconf-2.0> cdebconf debconf Depends: binutils Depends: file Depends: lsof Depends: net-tools Depends: ucf (>= 0.28) Depends: <perl:any> perl |Recommends: bsd-mailx |Recommends: mailutils |Recommends: heirloom-mailx Recommends: <mailx> bsd-mailx mailutils |Recommends: <default-mta> exim4-daemon-light Recommends: <mail-transport-agent> citadel-server courier-mta esmtp-run msmtp-mta nullmailer opensmtpd postfix qmail-run sendmail-bin ssmtp dma exim4-daemon-heavy exim4-daemon-light Recommends: iproute2 Recommends: unhide Recommends: unhide.rb |Recommends: wget Recommends: curl Suggests: liburi-perl Suggests: libwww-perl Suggests: powermgmt-base (Fixed above listing to be in english. It is from Debian 9 Stretch running ISPConfig.) I can not see how rkhunter, whether installed or not, affects postfix configuration.
About rkhunter and the phrase "strongly recommended", OK, I understand the positioning now. I'll rephrase: rkhunter is included in all of the installation guides, and in the control panel Monitor/Logfiles section. So there is a link between ISPConfig and rkhunter that does not exist for other packages. This is an area that I have not found any information about, and ultimately I guess I'll need to get into the code. But, is rkhunter log viewing enabled by a plugin for the Monitor module? If someone installs a different rootkit detector or other security packages, what is the recommended method, if any, to get data from those packages into the Monitor module? Is a PR to the core required, essentially with a copy/edit of one of the other log parsers? As a developer interested in extensibility I'd like to deeply understand this area. About rkhunter+Postfix - That's FASCINATING! I didn't think to check apt depends. Thank you very much for that approach to understanding some of this. And this explains some of my confusion. In my fresh Ubuntu 20.04 with all updates, postfix is the recommended default, and comparing your environment and mine, heirloom-mailx is not even recommended here, my system installed bsd-mailx. Something else we learn here : If you install rkhunter there is a dependency for binutils. So if you have a script to install a server with rkhunter (I do) then your personal instructions don't need to include the apt-get install binutils later. Does ISPConfig actually use anything from binutils? I dunno, but it's in the installation guide. Now we know that at least rkhunter requires it, and auto-installs the dependency. It can't hurt to install binutils, but if it's not actually needed by ISPConfig then, like thousands of other packages, then maybe it can be removed from the instructions. OK, @Taleman, this answers all of the questions. Postfix is not integrated with rkhunter so there is no configuration requirement. It simply needs a relay MTA, doesn't matter which. So my personal preference would be something lighter like esmtp or nullmailer. To avoid the installation of Postfix, one could pre-install the mailx component and then "apt-get -y --no-install-recommends install rkhunter". I would just be concerned that would result in other missing recommendations that might result in a lack of expected features. Yeah, each admin needs to decide for himself what needs to be done here. It's not the responsibility of the ISPConfig team/docs to explain every detail of system administration. But when the docs lead in a specific direction and the package links to specific software, then I think more attention is warranted. In this case, the existing docs tell people to install rkhunter but there is nothing about any of this other stuff about recommendations that affect what goes into an admin's system. In the Perfect doc it tells people to remove sendmail and install Postfix. Without this discussion that leaves gaps of information about what exactly ISPConfig needs to work. In the docs that I am writing there are links for more info, and that would include info like this and relevant links. As always, I'm happy to help with this but I need to understand exactly how this is intended to work. I'm continuing to install/delete servers, compare with docs, and noting places where newer docs can be improved. Thanks again for patience, information, links, suggestions, and the occasional RTFM where there is one. $ rkhunter --version Rootkit Hunter 1.4.6 $ apt depends rkhunter rkhunter |PreDepends: debconf (>= 0.5) PreDepends: <debconf-2.0> cdebconf debconf Depends: binutils Depends: file Depends: lsof Depends: net-tools Depends: ucf (>= 0.28) Depends: <perl:any> perl |Recommends: bsd-mailx |Recommends: mailutils |Recommends: s-nail Recommends: <mailx> bsd-mailx mailutils |Recommends: <default-mta> postfix Recommends: <mail-transport-agent> citadel-server courier-mta esmtp-run exim4-daemon-light lsb-invalid-mta masqmail msmtp-mta nullmailer opensmtpd qmail-run sendmail-bin ssmtp dma exim4-daemon-heavy postfix Recommends: e2fsprogs Recommends: iproute2 Recommends: unhide Recommends: unhide.rb |Recommends: wget Recommends: curl Suggests: liburi-perl Suggests: libwww-perl Suggests: powermgmt-base $
After researching the topic, bsd-mailx, heirloom-mailx, nullmailer, postfix, s-nail, and these other related options, I've decided to go for defaults on all systems, and accept Postfix. It's not "that" heavy. It is useful. Configuration is painless. It seems like there is more information about it in these forums than any other MTA/MSA. I don't want to fight with a unique configuration. I'm not qualified. Time is limited. I trust the recommendations of the ISPConfig team (includes the top contributors here). I hope this decision process helps someone.
Based on a quick 'grep -R rkhunter /usr/local/ispconfig/' it is performed by the /usr/local/ispconfig/server/lib/classes/cron.d/100-monitor_rkhunter.inc.php cronjob (reading the cronjob shows it actually runs rkhunter and writes the output to the database, it does not use /var/log/rkhunter.log or similar). Yep, that's what it would require. Or more for a non-dev, one-time type contribution, if you didn't want to create a merge request, you could probably just post a functioning cronjob file either here or in the issue tracker, and someone else can format it into a MR. (Most anyone planning on doing ongoing contributions should just get things setup to create the MR themselves.)