rkhunter warning: Found enabled xinetd service: /etc/xinetd.d/nrpe

Over my publicly reachable servers I’ve installed for security reasons, among some other tools, Rootkit Hunter.

What does rkhunter do?

Rkhunter is much like a virus scanner for a Windows system.
It has definitions to help identify rootkits and reports them. Just like anything, rkhunter isn’t 100%, but it weeds out the majority of rootkits. Upon running rkhunter, various system files, conf files, and bin directories are examined. The results are cross-referenced against the results of infected systems (from the definitions) and the results are compiled. This is where *nix systems really shine. While your OS may vary, and how it’s compiled or configured, the file system and configuration is basically the same.
This allows programs like rkhunter to provide results with a fairly small window for error or false positive.

While the installation via the distribution repositories is trivial, fine tuning the rkhunter.conf file is another pair of hands, since we have to tailor it to our system’s configuration and handle those false positive warning messages. Periodically receiving those, in fact, lowers our level of attention on the signals coming from the server.

So it’s a good idea to have a read on the provided README file provided by your distribution’s package. Over a CentOS 5.8 system of mine you make it giving a simple:

 more /usr/share/doc/rkhunter-1.4.0/README

One of the most annoying false positive warning message I had to deal with was the one regarding the NagiosNRPE plugin running as a xinetd service.

The solution I found after some googling was to edit the /etc/rkhunter.conf file in this way:

# This setting tells rkhunter where the xinetd configuration
# file is located.
#	^^^ de-commented by me $INSERT-DATE
#	^^^ added by me $INSERT-DATE

This has solved the issue and I got no more warnings about it!

Published by kOoLiNuS

♂, Italian, male, husband, dad of a wonder, “cazzaro”, friendly, blogger, motorcyclist, geek, avid reader, sysadmin, ICT consultant, curious. I come in peace… I'm an active social networker since 1999. I've been using WordPress sice 2004 and WordPress.com since 2006, and I'm currently involved in WordPress and WooCommerce communities in Bari, Apulia.

Join the Conversation


Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: