1. Home
  2. Raspberry Pi Group
  3. rkhunter hidden ports

rkhunter hidden ports

Hi.

I upgraded raspbian from jessie to stretch, and now I keep getting this in the rkhunter output:

Warning: Hidden ports found: Port number: UDP:111 is being used by /sbin/rpcbind Port number: UDP:123 is being used by /usr/sbin/ntpd Port number: UDP:38243 is being used by /usr/bin/transmission-daemon Port number: UDP:51413 is being used by /usr/bin/transmission-daemon Port number: UDP:5353 is being used by /usr/sbin/avahi-daemon Port number: UDP:60282 is being used by /usr/sbin/avahi-daemon Port number: UDP:68 is being used by /sbin/dhcpcd5 Port number: UDP:964 is being used by /sbin/rpcbind

(I am using transmission-daemon and ntpd.) Are these 'noise'?

Reply to
Fred Smith
Loading thread data ...

Very likely using ntpd - network time protocol - to set the system time since rpi has no real time clock (unless you've added one.

transmission, less likely. I believe it is a bittorrent client, so your could have used it to download some files.

Reply to
ray carter

Needed for NFS, mostly. You can turn it off.

formatting link

ntpd is good.

Bittorrent client.

Completely dispensable.

formatting link

Is this machine meant to be a DHCP _server_?

Reply to
Roger Bell_West

Do they show up in an "nmap -Pn" scan?

Do you ever run "rkhunter --propupd"? If so, does that make these Port Number reports go away?

--
Martin    | martin at 
Gregorie  | gregorie dot org
Reply to
Martin Gregorie

the second c in dhcpcd5 stand for client. See

formatting link

best regards Ulf

Reply to
Ulf Volmer

OK, thanks:

sudo systemctl stop rpcbind.service sudo systemctl stop rpcbind.socket sudo systemctl stop rpcbind.target sudo systemctl disable rpcbind sudo systemctl disable rpcbind.socket sudo systemctl disable rpcbind.target

Yes, I've been running both for years, but this is the first time it's come up in rkhunter output.

OK, thanks:

sudo systemctl disable avahi-daemon sudo systemctl disable avahi-daemon.socket sudo systemctl stop avahi-daemon sudo systemctl stop avahi-daemon.socket

and reboot and run rhkunter again. The rpcbind and avahi-daemon ports have disappeared from the output.

Definitely not *meant* to be. Where do I configure that?

Reply to
Fred Smith

As another poster pointed out, ths is a client daemon.

I generally use dhclient, which doesn't need to keep a port open.

Reply to
Roger Bell_West

DHCP is an extension to BOOTP, and both need to use UDP ports 67 and 68.

--

-TV
Reply to
Tauno Voipio

So am I right to whitelist UDP ports 123 (ntpd), 38243 and 51413 (transmission-daemon), and 68 (dhcpcd5) in /etc/rkhunter.conf.local?

As I mentioned earlier, I have now disabled rpcbind and avahi-daemon. Is there any good reason why those were enabled by default in raspbian?

thanks

Reply to
Fred Smith

For every person who says 'what is this demon doing ' there are probaly

100 who would say 'why is service XXX not working'

Besides Poettering developed Avahi, and Poettering is God. Or thinks he is, anyway.

--
"Socialist governments traditionally do make a financial mess. They  
always run out of other people's money. It's quite a characteristic of them" 

Margaret Thatcher
Reply to
The Natural Philosopher

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.