Rkhunter SSH Warning

This How To helps you to fix an Rkhunter SSH Warning! If you get an rkhunter SSH warning, then you should immediately react and check your system. This How to provides you a way for how to do this.

Warning!

Never ignore rkhunter warnings, as your system indeed could be impacted by cyber criminals. You better double check!

Before you start with this how to: I strongly recommend you make a full backup of your system! This how to gives you no warranty for success. If you do not understand what you do, you take the risk of destroying or harming your system.

If this how to does not help you, search for other sources int he internet! There are some other resources for rkhunter for example on myhowto.blog.

Index:

Rkhunter SSH Warning
How to Fix Rkhunter SSH Warning
Further information that you like to consider

In best case, the rkhunter SSH warning is based on a recent software update, whilst in worst case (this how to does not help for a worst case) your system got impacted by cyber criminals. In case cyber criminals impacted your system, you potentially need to find other sources in the internet, but also, you will most likely see this whilst working with this how to.

A software update could be the root cause, for example, if you have activated automatic software updates. If this is not the case, and if you have double checked, that this is not the case, then this how to does maybe not help. This how to assumes, and it works, for cases that include automated (headless) software updates.

Automated software updates replace your original files by the new updated files. This for example happens, if you activated headless software update. Whilst rkhunter is not updating its hashes for any files that you have on your system, it quite rightly observes after an automated / headless software update that the hash value does not match anymore. For this reason (in the scenario of this how to) rkhunter sets a warning message for SSH. You could also call this false positive, as you liked your system to update automatically.

Now, and this is key, let’s double check the error message from rkhunter. On my Debian based Linux system, the rkhunter log file is placed in /var/log/. In your system it’s maybe different and you have to find out.

First of all, lets check the warnings by shooting:

cat /var/log/rkhunter.log | grep Warning

This, in my case printed:

[06:25:41]   /usr/sbin/sshd                                  [ Warning ]
[06:25:41] Warning: The file properties have changed:
[06:25:54]   /usr/bin/ssh                                    [ Warning ]
[06:25:54] Warning: The file properties have changed:

Now, I know there was an issue around 06:25. So let’s see more. Shoot the command

cat /var/log/rkhunter.log | grep 06:25

With this, my server provides me with more information from the rkhunter log file. This information includes:

[06:25:54]   /usr/bin/ssh                                    [ Warning ]
[06:25:54] Warning: The file properties have changed:
[06:25:54]          File: /usr/bin/ssh
[06:25:54]          Current hash: 1cbXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx43b
[06:25:54]          Stored hash : 32bdxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx736
[06:25:54]          Current inode: 5414    Stored inode: 6562
[06:25:54]          Current size: 731944    Stored size: 727848
[06:25:54]          Current file modification time: 1680080543 (29-Mar-2023 11:02:23)
[06:25:54]          Stored file modification time : 1580504134 (31-Jan-2020 21:55:34)
[06:25:54]   /usr/bin/stat                                   [ OK ]

This piece of information tells you, that the hash value of /usr/bin/ssh changed. Now, is this for a good or a bad reason? A good reason should be, ssh was updated by a regular software or security update. Let’s find out, if this is true! Check out the next chapter Software / Security Updates!

Software / Security Updates

Let’s check the log file of the automated / headless software updates. Whilst doing so, you are interested whether there was an update for SSH. This you can do by fire the below command:

cat /var/log/apt/history.log | grep ssh

In my case, my system told me:

Upgrade: openssh-sftp-server:amd64 (1:7.9p1-10+deb10u2, 1:7.9p1-10+deb10u3), openssh-server:amd64 (1:7.9p1-10+deb10u2, 1:7.9p1-10+deb10u3), openssh-client:amd64 (1:7.9p1-10+deb10u2, 1:7.9p1-10+deb10u3)

Bingo!

There happened an update on openssh! Let’s make sure now, whether the timeline fits! The timeline should of course be very close to when your rkhunter fired the first time an alert to you. Basically, you would expect the system to update, following this, you would expect rkhunter to alert. This means, the software update for SSH should happened before rkhunter sent you the first time an alert. Lets check! To do so, fire the command of:

cat /var/log/apt/history.log

This now allows you to scroll down until you find “openssh-****”. This could for example look like this:

Start-Date: 2023-08-17  04:48:49
Commandline: /usr/bin/apt-get -o quiet=1 dist-upgrade -y -o APT::Get::Show-Upgraded=true
Upgrade: openssh-sftp-server:amd64 (1:7.9p1-10+deb10u2, 1:7.9p1-10+deb10u3), openssh-server:amd64 (1:7.9p1-10+deb10u2, 1:7.9p1-10+deb10u3), openssh-cli
ent:amd64 (1:7.9p1-10+deb10u2, 1:7.9p1-10+deb10u3)
End-Date: 2023-08-17  04:48:54

This information tells you, that the openssh update happened on August 17, at 04:48. Remember! With the above check of the rkhunter logfile, we found out that rkhunter alerted at 06:25. This is a bit later, it about 1.5 hrs later. Bingo!

In this case, what basically happened, is that at 04:48 a software update for ssh was executed. At 06:25, when rkhunter checked the system, it did find out, that the hash value of the file is not the same anymore. For this reason, it sent the alert. This is absolutely the correct behaviour of rkhunter, but it is a false positive, as the software update is an expected event.

Rkhunter – How to fix a false positive alert

To do so, we need to update the rkhunter database. We can do this by a simple command:

rkhunter --propupd

Once you have done this, your database should be updated. Now you can check if the updated configuration is working by executing:

rkhunter -c --enable all —-disable none --rwo

Once all is fine, than you are done.

Further information that you like to consider

There are various sources in the internet that allow you to further deep dive into the rkhunter specifics. In the below you find some links that maybe help you:

Rkhunter – How To Fix Rkhunter Warning
Rkhunter Error Message
Fix Rkhunter Error
rkhunter Suspect Files
Rkhunter: File Properties Have Changed
How To Fix Rkhunter sudo Warning
How To’s that help!
Rkhunter Linux man page – man page including rkhunter description and command options
Debian Linux rkhunter man page – specific Debian Linux man page about rkhunter

Tags: ldd rkhunter

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Rkhunter SSH Warning

Index: