Questions about rkhunter with ISPConfig

Discussion in 'Installation/Configuration' started by TonyG, Sep 18, 2020.

?

How do you use rkhunter?

  1. I don't know what rkhunter is

    1 vote(s)
    25.0%
  2. I know what rkhunter is but I choose not to use it

    0 vote(s)
    0.0%
  3. I don't use rootkit applications

    0 vote(s)
    0.0%
  4. I only use rkhunter on specific systems

    1 vote(s)
    25.0%
  5. I use rkhunter on all systems

    2 vote(s)
    50.0%
  1. TonyG

    TonyG Active Member

    My understanding is that Rootkit Hunter is optional but strongly recommended. Is that correct?

    Is there any reason not to run RKH and chrootkit on the same system?

    RKHunter installs Postfix, which is a bit heavy:
    Does anyone install another mail transport before RKHunter?
    Is there some reason related to ISPConfig that we might want Postfix to be the MTA there?
    Is there any reason why we might want to install Postfix separately in the ISPConfig Mail Server component? Or is it just as good to let rkhunter install Postfix? (The apt-get install of postfix later should be ignored but below I have questions about the configuration.)
    (Note that if rkhunter is installed during system installation that the Postfix-related notes in Perfect docs are not the same. Someone doing the install should recognize that.)

    I understand some admins use ISPProtect (for-fee). And there are many other similar applications. But are there any other packages like RKH that are very commonly used or recommended for use with ISPConfig? As an example, ClamAV is commonly used with ISPConfig and it can do file system scanning.
    Please: I'm not looking for open commentary/anecdotes like "I use this". I'm asking about security software that is not in the Perfect docs, but may be commonly used and/or recommended for ISPConfig.

    EDIT : Additional questions :
    Ref the most recent Perfect guide : Section 6 about installing Postfix.
    Should the exact same Postfix instructions be followed in any system where rkhunter is installed with postfix?
    And to be very specific, should the specified mail server fqdn reference the actual mail.mydomain.tld? Or, where Postfix is just being added as a MTA/relay, should that be myhost.mydomain.tld? I'm guessing this should be the live/full mail.domain.tld, otherwise, how does it know which server to use for relay?

    I'm looking for docs on these topics. Links are certainly welcome.

    Thanks!
     
    Last edited: Sep 19, 2020
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I believe it is not strongly recommended, at least it is not recommended any more strongly than other packages.
    No.
    That is not actually the case. RKHunger recommends mail-transport-agent, but should work without since it is recommend not depends, and it does not have to be postfix. So if postfix is heavy, install something else. See below:
    Code:
    # LANG=C apt depends rkhunter
    rkhunter
     |PreDepends: debconf (>= 0.5)
      PreDepends: <debconf-2.0>
        cdebconf
        debconf
      Depends: binutils
      Depends: file
      Depends: lsof
      Depends: net-tools
      Depends: ucf (>= 0.28)
      Depends: <perl:any>
        perl
     |Recommends: bsd-mailx
     |Recommends: mailutils
     |Recommends: heirloom-mailx
      Recommends: <mailx>
        bsd-mailx
        mailutils
     |Recommends: <default-mta>
        exim4-daemon-light
      Recommends: <mail-transport-agent>
        citadel-server
        courier-mta
        esmtp-run
        msmtp-mta
        nullmailer
        opensmtpd
        postfix
        qmail-run
        sendmail-bin
        ssmtp
        dma
        exim4-daemon-heavy
        exim4-daemon-light
      Recommends: iproute2
      Recommends: unhide
      Recommends: unhide.rb
     |Recommends: wget
      Recommends: curl
      Suggests: liburi-perl
      Suggests: libwww-perl
      Suggests: powermgmt-base
    
    (Fixed above listing to be in english. It is from Debian 9 Stretch running ISPConfig.)
    I can not see how rkhunter, whether installed or not, affects postfix configuration.
     
    Last edited: Sep 20, 2020
    Jesse Norell likes this.
  3. TonyG

    TonyG Active Member

    About rkhunter and the phrase "strongly recommended", OK, I understand the positioning now. I'll rephrase: rkhunter is included in all of the installation guides, and in the control panel Monitor/Logfiles section. So there is a link between ISPConfig and rkhunter that does not exist for other packages. This is an area that I have not found any information about, and ultimately I guess I'll need to get into the code. But, is rkhunter log viewing enabled by a plugin for the Monitor module? If someone installs a different rootkit detector or other security packages, what is the recommended method, if any, to get data from those packages into the Monitor module? Is a PR to the core required, essentially with a copy/edit of one of the other log parsers? As a developer interested in extensibility I'd like to deeply understand this area.

    About rkhunter+Postfix - That's FASCINATING! I didn't think to check apt depends. Thank you very much for that approach to understanding some of this. And this explains some of my confusion. In my fresh Ubuntu 20.04 with all updates, postfix is the recommended default, and comparing your environment and mine, heirloom-mailx is not even recommended here, my system installed bsd-mailx.

    Something else we learn here : If you install rkhunter there is a dependency for binutils. So if you have a script to install a server with rkhunter (I do) then your personal instructions don't need to include the apt-get install binutils later. Does ISPConfig actually use anything from binutils? I dunno, but it's in the installation guide. Now we know that at least rkhunter requires it, and auto-installs the dependency. It can't hurt to install binutils, but if it's not actually needed by ISPConfig then, like thousands of other packages, then maybe it can be removed from the instructions.

    OK, @Taleman, this answers all of the questions. Postfix is not integrated with rkhunter so there is no configuration requirement. It simply needs a relay MTA, doesn't matter which. So my personal preference would be something lighter like esmtp or nullmailer.

    To avoid the installation of Postfix, one could pre-install the mailx component and then "apt-get -y --no-install-recommends install rkhunter". I would just be concerned that would result in other missing recommendations that might result in a lack of expected features.

    Yeah, each admin needs to decide for himself what needs to be done here. It's not the responsibility of the ISPConfig team/docs to explain every detail of system administration. But when the docs lead in a specific direction and the package links to specific software, then I think more attention is warranted. In this case, the existing docs tell people to install rkhunter but there is nothing about any of this other stuff about recommendations that affect what goes into an admin's system. In the Perfect doc it tells people to remove sendmail and install Postfix. Without this discussion that leaves gaps of information about what exactly ISPConfig needs to work. In the docs that I am writing there are links for more info, and that would include info like this and relevant links. As always, I'm happy to help with this but I need to understand exactly how this is intended to work.

    I'm continuing to install/delete servers, compare with docs, and noting places where newer docs can be improved.
    Thanks again for patience, information, links, suggestions, and the occasional RTFM where there is one. :)

    $ rkhunter --version
    Rootkit Hunter 1.4.6
    $ apt depends rkhunter
    rkhunter
    |PreDepends: debconf (>= 0.5)
    PreDepends: <debconf-2.0>
    cdebconf
    debconf
    Depends: binutils
    Depends: file
    Depends: lsof
    Depends: net-tools
    Depends: ucf (>= 0.28)
    Depends: <perl:any>
    perl
    |Recommends: bsd-mailx
    |Recommends: mailutils
    |Recommends: s-nail
    Recommends: <mailx>
    bsd-mailx
    mailutils
    |Recommends: <default-mta>
    postfix
    Recommends: <mail-transport-agent>
    citadel-server
    courier-mta
    esmtp-run
    exim4-daemon-light
    lsb-invalid-mta
    masqmail
    msmtp-mta
    nullmailer
    opensmtpd
    qmail-run
    sendmail-bin
    ssmtp
    dma
    exim4-daemon-heavy
    postfix
    Recommends: e2fsprogs
    Recommends: iproute2
    Recommends: unhide
    Recommends: unhide.rb
    |Recommends: wget
    Recommends: curl
    Suggests: liburi-perl
    Suggests: libwww-perl
    Suggests: powermgmt-base
    $
     
  4. TonyG

    TonyG Active Member

    After researching the topic, bsd-mailx, heirloom-mailx, nullmailer, postfix, s-nail, and these other related options, I've decided to go for defaults on all systems, and accept Postfix. It's not "that" heavy. It is useful. Configuration is painless. It seems like there is more information about it in these forums than any other MTA/MSA. I don't want to fight with a unique configuration. I'm not qualified. Time is limited. I trust the recommendations of the ISPConfig team (includes the top contributors here). I hope this decision process helps someone.
     
  5. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Based on a quick 'grep -R rkhunter /usr/local/ispconfig/' it is performed by the /usr/local/ispconfig/server/lib/classes/cron.d/100-monitor_rkhunter.inc.php cronjob (reading the cronjob shows it actually runs rkhunter and writes the output to the database, it does not use /var/log/rkhunter.log or similar).

    Yep, that's what it would require. Or more for a non-dev, one-time type contribution, if you didn't want to create a merge request, you could probably just post a functioning cronjob file either here or in the issue tracker, and someone else can format it into a MR. (Most anyone planning on doing ongoing contributions should just get things setup to create the MR themselves.)
     
    TonyG likes this.

Share This Page