I'm trying to figure out in the rkhunter config how I can whitelist the detection of certain ports, such as ports used for IRCds, and other ports which I have for services which run on non-standard ports.
Does anyone know how to configure this so that rkhunter does not throw warnings about detecting the ports I wish to whitelist?
You edit /etc/rkhunter.conf
# command line
sudo -e /etc/rkhunter.conf
# graphical
gksu gedit /etc/rkhunter.conf
Under the WHITELIST_PORTS section , add your whitelist. The configuration file has examples.
# Syntax /full/path/to/binary Protocol:port
# Protocol = TCP / UDP
# You may use wildcards
PORT_WHITELIST=”/usr/sbin/privoxy TCP:8118″
#for multiple binaries / ports , list them as per the config file
PORT_WHITELIST="/usr/sbin/privoxy /usr/sbin/squid TCP:8118 TCP:3128"
# Alternate
PORT_WHITELIST="* TCP:22 TCP:80 TCP:443 TCP:8080"
The response from @Panther is correct. However you can also white-list whole path of executable. Example:
PORT_PATH_WHITELIST=/usr/sbin/squid
PORT_PATH_WHITELIST=/usr/sbin/squid:TCP:3801
All this with additional explanation is written in rkhunter.conf file.
P.S.: I just bumped into this and I feel that somebody can benefit from it in the future.
