Difference between revisions of "HowTos/ScalixSecurity"
(→Change POP greeting) |
(→Setting up stunnel) |
||
Line 265: | Line 265: | ||
connect = 143 | connect = 143 | ||
+ | # Caution: may create open relay | ||
+ | # See end of article for workaround information | ||
[ssmtp] | [ssmtp] | ||
accept = 465 | accept = 465 | ||
Line 375: | Line 377: | ||
exit $RETVAL | exit $RETVAL | ||
+ | |||
+ | ---- | ||
+ | |||
+ | '''CAUTION:''' using stunnel with SMTP may create an open relay. | ||
+ | Creating an stunnel map for SMTP may cause an open realy. The way that stunnel works is that it it accepts encrypted data on port X and redirects the unencrypted form of that data to port Y via the '''localhost''' interface. In the case of SMTP, connections from localhost do not require, and in some cases forbid, user authentication for mail relay functions. Scalix 11 has a work around. Rather than redirecting to port 25; redirect to port 587 in the stunnel.conf, and enable the smtpd SUBMIT interface in the smtpd.cfg. | ||
+ | |||
+ | ''stunnel.conf:'' | ||
+ | [ssmtp] | ||
+ | accept = 465 | ||
+ | connect = localhost:587 | ||
+ | |||
+ | ''/var/opt/scalix/XX/s/sys/smptd.cfg:'' | ||
+ | [LMTP] | ||
+ | SUBMIT=ON | ||
+ | |||
+ | [SUBMIT] | ||
+ | LISTEN=localhost:587 | ||
+ | ANONYMOUS Log_Reject ALL | ||
=== Let SMTP guests authenticate themselves === | === Let SMTP guests authenticate themselves === |
Revision as of 21:09, 26 January 2009
Scalix Wiki -> How-Tos -> Scalix Security
Contents
Introduction
Securing your Scalix server is a way to provide your users with a stable platform that can be reached all the time. It prevents unauthorized access by people, trying to gain control over it or gather sensitive information stored on it. Last but not least it prohibits your machine to be used for other usages like scanning/attacking other hosts and spamming through relaying.
This How-To describes how to secure Scalix based mail servers and hot to keep them secure.
The systems used to test the solutions presented in this How-To were based on:
- CentOS 4.x with Scalix version 10.0.1 (RHEL 4 and Fedora Core 4 should behave simalar)
- CentOS 4.x with Scalix version 11.0.3 (RHEL 4 and Fedora Core 4 should behave simalar)
Note: This is work in progress and still incomplete. If you see any gaps or have comments please take some time and add them to this document, it helps others to implement secure servers that behave well on the internet.
Harden system and services
Hardening is the process of minimizing security vulnerabilities. This is done by eliminating as many security risks as possible, e.g removing unused services and programs and/or preventing required services from suppling sensitive information.
Install Bastille-Linux
Bastille-Linux will help you harden your system as a whole. Before using this software please see if your OS is supported on http://www.bastille-linux.org/running_bastille_on.htm (this is also were you can download the rpm or source files).
Install the latest Bastille-Linux rpm:
# rpm -ihv Bastille-3.0.9-1.0.noarch.rpm
Install perl-Curses to run Bastille-Linux in text mode (dag repo has to be available):
# yum install perl-Curses --enablerepo=dag
Run Bastille-Linux for text mode hardening:
# bastille -c
During the hardening process read the questions carefully.
- Do not deactivate or limit Sendmail and Apache
- Do not deactivate the symbolic links from the Apache document root if you have a site that need those. However check that the symbolic links do not point outside the Apache document root (# find /var/www/html/ -type l -exec ls -l {} \;), since that might pose a security risk.
- Determine if you want the enhanced Bastille-Linux firewall or the simple build in OS firewall (see section Setup Firewall)
Afterwards you can see what Bastille-Linux did, using the logfiles in /var/log/Bastille/.
Change SMTP greeting
See http://www.scalix.com/wiki/index.php?title=HowTos/SMTP_Greeting
Note: the smtpd.cfg file is read only, use these commands to write to it:
Important Note: Changing the EXTENSIONS= line can have side effects. The extensions listed herein are advertised by the SMTP relay as part of the initial response to the connecting systems EHLO command. For example, if you remove the AUTH extension, clients will not try to authenticate any more, so this should not be used in environments where the SMTP port is also used for authenticated message submission. In case of doubt, leave the EXTENSIONS= line alone and change only the GREETING.
# chmod u+w /var/opt/scalix/sys/smtpd.cfg # vi /var/opt/scalix/sys/smtpd.cfg => "EXTENSIONS=" and "GREETING=SMTPd" # chmod u-w /var/opt/scalix/sys/smtpd.cfg
Change POP greeting
Standard POP session:
$ telnet mail.yourdomain.net 110 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. +OK Scalix POP3 interface ready on: mail.yourdomain.net quit +OK POP3 Server connection terminated Connection closed by foreign host.
As you can see the greeting line reveals the Scalix server (but not its version number). You can change the greeting by adding "POP3_GREETING=Pop3" to general.cfg and restarting pop3.
Restart the POP3 daemon:
# omoff -d 0 pop3 # omon pop3
Custom POP3 session
$ telnet mail.yourdomain.net 110 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. +OK Pop3 quit +OK POP3 Server connection terminated Connection closed by foreign host.
Change IMAP greeting
Standard IMAP session:
$ telnet mail.yourdomain.net 143 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. * OK Scalix IMAP server 10.0.1.3 ready on mail.yourdomain.net a1 logout * BYE Scalix IMAP Server logging out a1 OK LOGOUT completed Connection closed by foreign host.
As you can see both the greeting and goodbye line reveal sensative information. You can change the greeting by setting the IMAP_GREETING tag in general.cfg, e.g. by adding "IMAP_GREETING=IMAPd" to the file.
Restart the IMAP daemon:
# omoff -d0 -w imap # omon imap
Custom IMAP session:
$ telnet mail.yourdomain.net 143 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. * OK IMAPd a1 logout * BYE Scalix IMAP Server logging out a1 OK LOGOUT completed Connection closed by foreign host.
It is not currently possible to configure the goodbye line, therefore the IMAP session still reveals the Scalix server (but not the version number anymore). An enhancement request has been entered on 28 AUG 2006.
Change Apache information
By default Appache supplies a lot of information about the system. In this section we will minimize the information provided.
- Replace default page
When you surf to http://mail.yourdomain.net you get the default page. This will tell you something like 'Apache 2 Test Page powered by CentOS'. Replace this with your own page or a blank page.
- Change error/header information
Telnet from the Linux command line to mailserver port 80 and ask for the header information (HEAD / HTTP).
$ telnet mail.yourdomain.net 80 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. HEAD / HTTP
HTTP/1.1 200 OK Date: Tue, 29 Aug 2006 22:32:32 GMT Server: Apache/2.0.52 (CentOS) Last-Modified: Wed, 23 Aug 2006 22:09:41 GMT ETag: "44f1f-9bd-998d1340" Accept-Ranges: bytes Content-Length: 2493 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Connection closed by foreign host.
As you can see the telnet session reveals sensative information. You can change this by editing the httpd.conf file, make directives ServerTokens read Prod and ServerSignature read Off. The last directive is outdated after Apache version 2.0.44, see http://www.sans.org/top20/2003/#u3 for more information.
Restart the HTTP daemon:
# service httpd restart
Telnet again to the mail server:
$ telnet mail.yourdomain.net 80 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. HEAD / HTTP HTTP/1.1 200 OK Date: Tue, 29 Aug 2006 23:04:44 GMT Server: Apache Last-Modified: Wed, 23 Aug 2006 22:09:41 GMT ETag: "44f1f-9bd-998d1340" Accept-Ranges: bytes Content-Length: 2493 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Connection closed by foreign host.
The telnet session still contains the product name but the version number and OS name are gone. You can change the product name by getting the Apache source code, edit the file httpd.h, compile and reinstall Apache. However keep in mind that you can't use the Apache (and associated modules) security updates for your system anymore. That might impose an even bigger security risk.
- Remove version numbers from the Webmail and SAC logon pages
...
Run tomcat as non-root user
See http://www.scalix.com/wiki/index.php?title=HowTos/Tomcat
Notes:
1. See if tomcat is running as root:
# ps aux | grep tomcat
2. Create a user and a group named tomcat:
# useradd tomcat
3. Make tomcat actually run as non-root user:
# vi /etc/init.d/scalix-tomcat => make startup and shutdown line look like: startup="/bin/su - tomcat -c $CATALINA_HOME/bin/startup.sh" shutdown="/bin/su - tomcat -c $CATALINA_HOME/bin/shutdown.sh" # chown -R tomcat.tomcat /opt/scalix-tomcat/ # chmod go+r /etc/opt/scalix/caa/scalix.res/config/psdata
4. Now do the things as descriped in the link above.
5. Restart tomcat service:
# service scalix-tomcat restart
6. Check if tomcat is running as user tomcat:
# ps aux | grep tomcat
For troubleshooting you can have a look at the tomcat logfiles, located in /opt/scalix-tomcat/logs/. You can increase the verbosity of the logs by setting INFO to DEBUG in the /etc/opt/scalix/caa/config/log4j.properties file.
Warning: This section is not yet complete, there are still the following issues:
1. I don't know the security implecation of giving the psdata file world read writes (but it keeps the errors out of caa.log).
2. Starting tomcat gives the following error, but it runs afterwards:
# /etc/init.d/scalix-tomcat.changed start Starting Tomcat service: execvp: No such file or directory [FAILED]
3. When I try to get the log of the RES service in SAC, I get "Password:" written on the console.
4. Stopping tomcat gives the following error AND it won't stop:
# /etc/init.d/scalix-tomcat.changed stop Stopping Tomcat service: execvp: No such file or directory [FAILED]
Please help to get this section complete, by solving these issues!
Set up SELinux
t.b.d. - anyone???
Use secure protocols
Force to use https
Force your users to use the https protocol instead of the http protocol when they want to use webmail or sac. This way the information they supply won't be send in plain text over the internet.
For Scalix 10.x and earlier, you achive this by adding a VirtualHost section at the bottom of the Apache ssl.conf file (mod_ssl has to be installed for this to work).
<VirtualHost *:80> <LocationMatch "^/sac/*"> RewriteEngine on RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L] </LocationMatch> <LocationMatch "^/webmail/*"> RewriteEngine on RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L] </LocationMatch> </VirtualHost>
For Scalix 11.x and higher, edit the instance-<scalix-server-hostname>.conf file in /etc/opt/scalix-tomcat/connector/jk and /etc/opt/scalix-tomcat/connector/ajp, replace the VirualHost section in both these files,
<VirtualHost *:80> Include /etc/opt/scalix-tomcat/connector/<conn>/app-<scalix-server-hostname>.*.conf </VirtualHost>
with,
<VirtualHost *:80> Include /etc/opt/scalix-tomcat/connector/<conn>/app-<scalix-server-hostname>.*.conf <LocationMatch "^/sac/*"> RewriteEngine on RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L] </LocationMatch> <LocationMatch "^/webmail/*"> RewriteEngine on RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L] </LocationMatch> </VirtualHost>
Note: Replace <conn> with appropriate connector name and replace <scalix-server-hostname> with your Scalix Server hostname.
A point to be noted, the changes to these instance file get overwritten on each Scalix Version update, this is a known issue and would be resolved in the release after 11.0.4.
Setting up stunnel
stunnel can be configured to allow IMAPS, POP3S and SMTPS connections to the Scalix server as follows:
1) Edit /etc/stunnel/stunnel.conf to ensure the following lines are present and uncommented:
[pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143
- Caution: may create open relay
- See end of article for workaround information
[ssmtp] accept = 465 connect = 25
This configures the redirection from the secure ports to the non-secure ports. You would normally not open up the non-secure ports through the firewall. If your Scalix server is accepting incoming internet mail, you would also need to open port 25.
To enable Outlook connection via SSL (introduced with Scalix 11.3) you have to add the following lines to /etc/stunnel/stunnel.conf:
[uals] accept = 5767 connect = 5729
If you want to use LDAP through a secure connection set:
[ldaps] accept = 636 connect = 389
In a multihomed or clustered environment you should use the "host:port" syntax for the accept and connect lines.
2) Ensure that the stunnel certificate contains the correct information. /etc/stunnel/stunnel.conf has the following setting:
cert = /etc/stunnel/stunnel.pem
To create a new certificate, you can use the openssl Makefile.
cd /usr/share/ssl/certs make /etc/stunnel/stunnel.pem
Enter in the requested information *but* make sure that the Common Name is entered as the hostname that users will be connecting to otherwise they will see certificate errors.
The following example init.d script can be used to ensure that stunnel is started at boot time.
#!/bin/bash # # stunnel This shell script takes care of starting and stopping # stunnel # # chkconfig: 345 80 30 # description: Secure tunnel # processname: stunnel # config: /etc/stunnel/stunnel.conf # pidfile: /var/run/stunnel/stunnel.pid # Source function library. . /etc/rc.d/init.d/functions # Source stunnel configureation. if [ -f /etc/sysconfig/stunnel ] ; then . /etc/sysconfig/stunnel fi RETVAL=0 prog="stunnel" start() { # Start daemons. echo -n $"Starting $prog: " if test -x /usr/sbin/stunnel ; then /usr/sbin/stunnel fi RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/stunnel return $RETVAL } stop() { # Stop daemons. echo -n $"Shutting down $prog: " killproc stunnel RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/stunnel return $RETVAL } # See how we were called. case "$1" in start) start ;; stop) stop ;; restart) stop start RETVAL=$? ;; condrestart) if [ -f /var/lock/subsys/stunnel ]; then stop start RETVAL=$? fi ;; status) status stunnel RETVAL=$? ;; *) echo $"Usage: $0 {start|stop|restart|condrestart|status}" exit 1 esac exit $RETVAL
CAUTION: using stunnel with SMTP may create an open relay. Creating an stunnel map for SMTP may cause an open realy. The way that stunnel works is that it it accepts encrypted data on port X and redirects the unencrypted form of that data to port Y via the localhost interface. In the case of SMTP, connections from localhost do not require, and in some cases forbid, user authentication for mail relay functions. Scalix 11 has a work around. Rather than redirecting to port 25; redirect to port 587 in the stunnel.conf, and enable the smtpd SUBMIT interface in the smtpd.cfg.
stunnel.conf: [ssmtp] accept = 465 connect = localhost:587
/var/opt/scalix/XX/s/sys/smptd.cfg: [LMTP] SUBMIT=ON
[SUBMIT] LISTEN=localhost:587 ANONYMOUS Log_Reject ALL
Let SMTP guests authenticate themselves
t.b.d. - anyone???
TLS with SMTP
Q: Does Scalix offer SSL support for both IMAP and SMTP connections from the client to the server?
A: Scalix does not have native TLS, but SSL support is handled through the use of stunnel.
- Scalix Knowledgebase Article # 124269
Setup firewall
Available services
Before you setup a firewall you have to determine which services are running on your system and which services need to be available from the outside:
# netstat -npl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:5729 0.0.0.0:* LISTEN 3010/advmail.sckd tcp 0 0 0.0.0.0:9090 0.0.0.0:* LISTEN 1652/httpd tcp 0 0 0.0.0.0:9092 0.0.0.0:* LISTEN 1627/python tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 3044/omslapd tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN 1501/java tcp 0 0 127.0.0.1:8009 0.0.0.0:* LISTEN 1501/java tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1057/mysqld tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 3081/pop3.server tcp 0 0 127.0.0.1:3310 0.0.0.0:* LISTEN 966/clamd tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 3032/in.imap41d tcp 0 0 0.0.0.0:44975 0.0.0.0:* LISTEN 779/rpc.statd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 760/portmap tcp 0 0 0.0.0.0:8081 0.0.0.0:* LISTEN 1603/postmaster tcp 0 0 192.168.100.11:25 0.0.0.0:* LISTEN 3700/omsmtpd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1249/sendmail: acce tcp 0 0 :::80 :::* LISTEN 1479/httpd tcp 0 0 :::22 :::* LISTEN 944/sshd tcp 0 0 :::443 :::* LISTEN 1479/httpd udp 0 0 0.0.0.0:32768 0.0.0.0:* 779/rpc.statd udp 0 0 192.168.100.11:5766 0.0.0.0:* 3029/omnssck udp 0 0 127.0.0.1:5766 0.0.0.0:* 3029/omnssck udp 0 0 0.0.0.0:955 0.0.0.0:* 779/rpc.statd udp 0 0 0.0.0.0:111 0.0.0.0:* 760/portmap udp 0 0 0.0.0.0:3450 0.0.0.0:* 1501/java udp 0 0 0.0.0.0:5757 0.0.0.0:* 3022/omdrs Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 2506 1057/mysqld /var/lib/mysql/mysql.sock unix 2 [ ACC ] STREAM LISTENING 9728 3038/mime.control /var/opt/scalix/temp/mime_browse unix 2 [ ACC ] STREAM LISTENING 3718 1526/dbus-daemon-1 /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 4245 1603/postmaster /tmp/.s.PGSQL.8081 unix 2 [ ACC ] STREAM LISTENING 13195 3702/omsmtpd /var/opt/scalix/temp/smtpd_socket unix 2 [ ACC ] STREAM LISTENING 9575 2979/omsessd /var/opt/scalix/temp/sessd_socket unix 2 [ ACC ] STREAM LISTENING 9626 2999/omlicmon /var/opt/scalix/temp/lic
As you see there are a lot of services listening, most of these services don't need to be accessible from the outside. If you don't need a service at all shut it down and remove it from the system, otherwise firewall it.
Here we assume we need to have ports 22 (ssh), 25 (smtp), 80 (http), 443 (https) and 5729 (scalixual) available, see the next 2 sections how to configure that with your firewall.
Default OS firewall
This firewall can be easily implemented with only the knowledge of the ports that have to be open for Scalix to function.
When you decided to use the default OS firewall over the Bastille-Linux firewall, you have to make sure that the Bastille-Linux firewall is disabled at boot time and the default OS firewall is enabled at boot time.
First shutdown and disable the Bastille-Linux firewall completely (if it is running):
# vi /etc/Bastille/config => PSAD.psad_config="N", Firewall.ip_enable_firewall="N" & Firewall.ip_intro="N" # bastille -b # service psad stop # service bastille-firewall stop # chkconfig psad off # chkconfig bastille-firewall off # chmod 0600 /etc/init.d/psad # chmod 0600 /etc/init.d/bastille-firewall
As you can see from the list of commands, it was not easy to shutdown the Bastille-Linux firewall but it did the trick (there should be an easier way however).
Now you can enable and configure the standard OS firewall using:
# system-config-securitylevel => Enabled & Customize # chkconfig --level 2345 iptables on
View the active iptables rules (it should at least accept packages on the ports you specified):
# iptables -L ... ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:scalixual ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ...
Bastille-Linux firewall
This is an advanced firewall and to configure it you need indept knowledge of protocols, port numbers, interfaces and the psad software.
When you decided to use the Bastille-Linux firewall over the default OS firewall, you have to make sure that the default OS firewall is disabled at boot time and the Bastille-Linux firewall is enabled at boot time.
Deactivate the default OS firewall:
# system-config-securitylevel => Disabled # chkconfig iptables off
Activate the Bastille-Linux firewall (possibly already configured during system hardening process):
# service bastille-firewall start
The firewall has its own configuration file (/etc/Bastille/bastille-firewall.cfg), however only edit this file when it can't be done in the global Bastille-Linux configuration file (/etc/Bastille/config). This way you avoid loosing the specific firewall rules when running Bastille-Linux on a later date. The global Bastille-Linux configuration file can be excecuted by issueing the command:
# bastille -b
Another nice feature of the Bastille-Linux firewall is, that it can be integrated with the Port Scan Attack Detector psad. Installing this tool is easy, just execute the commands:
$ wget http://www.cipherdyne.com/psad/download/psad-1.4.6-1.i386.rpm # rpm -ivh psad-1.4.6-1.i386.rpm # cp -a /etc/psad/psad.conf /etc/psad/psad.conf.orig # vi /etc/psad/psad.conf => you have to change the HOME_NET variable # service psad start
The configuration of psad is difficult, you want to receive messages on scans but not on lost packages. It can take some time to find the right configuration settings.
Keep secure
Update system
When you are done configuring and hardening your system you should keep it secure over time. Therefore always take action quickly when new updates and security paches becom available.
System software can be updated using the command:
# yum -y update
This can be automated to ensure that you are always up to date, to do so execute:
# chkconfig yum on && service yum start
The downside of automating is that it sometimes breaks your configuration (over the last 7 years I had downtime once through a failed automatic update). Consider for yourself if possible downtime outweights the risk of being outdated for some time. When using other repos than the system repos (dag or kbsingh) don't enable them by default, I found out the hard way that my system was not updating at all due to conflicting packages in the different repos. The best workaround is to keep a list of the packages installed from the non system repos and run a script to check for updates for these packages.
Non system software can be updated as it comes available from the vendor, Scalix belongs to this kind of software. To keep up to date subscribe to a vendors update & security email announce list or if available decide to use the automatic update service.
Scalix has no automatic update service or update & security email announce list. However, you can get update & security information emailed to you by subscribing to a daily digest from the 'Support Announcements' forum. This is done by selecting the 'Digests' option at the top of any page in the Scalix Community Forums.
Install Tripwire and Chkrootkit
This section is realy a way to give you a feeling if your system is still secure and not compromised. It won't be a 100% fail proof but it monitors your system and warns when strange things are happening on your system.
Tripwire will monitor the system critical files for modifications by creating a base line database and periodically compare system files with this database afterwards.
To set it up have a look at this page http://lists.centos.org/pipermail/centos/2006-June/066071.html.
Updating the base line database after allowed changes (updates / configuration changes):
1. When there are a lot of allowed changed (through updating for example) you can use:
# tripwire --update
Warning: do not use this after reading the daily tripwire email you get, in the meantime unauthorized changes could have been made. You don't want to approve those too, so first run a check and see if you still want to update.
2. When there are a few changes you can do so by running tripwire in interactive mode and aprove the allowed changes:
# tripwire --check --interactive
Chkrootkit will monitor the system periodically for the installation of rootkits.
Install chkrootkit (dag repo has to be available):
# yum install chkrootkit --enablerepo=dag
Note: When you are using stunnel the following entries will show up in chkrootkit's output:
Checking `bindshell'... INFECTED (PORTS: 465) Checking `sniffer'... /proc/89/fd: Permission denied eth0: not promisc and no PF_PACKET sockets
You may use fuser to identify which processes is using tcp port 465:
# fuser -vn tcp 465 USER PID ACCESS COMMAND 465/tcp root 3891 f.... stunnel
Install ClamAV
Install ClamAV (dag repo has to be available):
# yum install clamd clamav clamav-db --enablerepo=dag
Note: Don't use the clamav packages from the kbsingh repo those are a nightmare to setup.
Start daemon:
# service clamd start
Update definition files:
# freshclam