Home » Forum » Trisquel users
Submitted by FernandoV on Sun, 05/24/2020 - 15:46

strange UFW blocks on startup

4 replies [Last post]
Sun, 05/24/2020 - 15:46
FernandoV
FernandoV
Offline
Joined: 03/22/2019

Hello, need some security advice. When I booted my trisquel MINI today I got this in dmesg:

[ 161.844271] wlp7s0: associated
[ 161.983982] IPv6: ADDRCONF(NETDEV_CHANGE): wlp7s0: link becomes ready
[ 162.183763] [UFW BLOCK] IN=wlp7s0 OUT= MAC= SRC=192.168.1.2 DST=224.0.0.252 LEN=53 TOS=0x00 PREC=0x00 TTL=255 ID=27883 PROTO=UDP SPT=5355 DPT=5355 LEN=33
[ 162.434936] [UFW BLOCK] IN=wlp7s0 OUT= MAC= SRC=192.168.1.2 DST=224.0.0.252 LEN=53 TOS=0x00 PREC=0x00 TTL=255 ID=27891 PROTO=UDP SPT=5355 DPT=5355 LEN=33

I have no programs configured to start on boot. There should be no calls to outside?

I tried to find some info on the ip 224.0.0.252 to no avail.

Top
  • +1
    0
    -1
    Please use the rating system to mark posts that go against the Community Guidelines
Sun, 05/24/2020 - 16:03
#1
FernandoV
FernandoV
Offline
Joined: 03/22/2019

Also ran rkhunter script. Found something:

[16:49:19] /usr/bin/lwp-request [ Warning ]
[16:49:19] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl -w script, ASCII text executable

Info: Found an SSH configuration file: /etc/ssh/sshd_config
[16:51:28] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[16:51:28] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[16:51:28] Checking if SSH root access is allowed [ Warning ]
[16:51:29] Warning: The SSH and rkhunter configuration options should be the same:
[16:51:29] SSH configuration option 'PermitRootLogin': prohibit-password
[16:51:29] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no

[16:51:34] Warning: Hidden directory found: /etc/.java
[16:51:34] Warning: Hidden file found: /etc/.sudoers.tmp.swp: data

That file /etc/.sudoers.tmp.swp contains one line: "b0nano 2.5.3"

This and misconfigured SSH to allow root login makes me a bit nervous.

Where can I check what executes on startup? Should I delete the suspicious files?
I disabled SSH root login right away. I never configured it myself, so the options are *somebody* configed it, or it was this way with default trisquel install.

Top
  • +1
    0
    -1
    Please use the rating system to mark posts that go against the Community Guidelines
Tue, 05/26/2020 - 19:17
#2
amenex
amenex
Offline
Joined: 01/04/2015

Magic Banana said:
By default, Trisquel does not have a root user. As a consequence, it cannot log in, even locally.

When mate's System Monitor is running, under Processes, the following programs appear with user set to root:
ksoftirqd/0, ksoftirqd/2, or ksoftirqd/3, and Xorg occasionally, as the need occurs.

I've even seen "nobody" running dnsmasq.

It would be a relief to know that this is normal operation.

The rest of us get root privileges with sudo.

George Langford

Top
  • +1
    0
    -1
    Please use the rating system to mark posts that go against the Community Guidelines
Tue, 05/26/2020 - 21:19
#3
Magic Banana
Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

It is normal operation. The k at the beginning of each of those processes stands for "kernel". The kernel obviously runs with all privileges. And, as you write, so does everything you execute with 'sudo'. But that does not entail a root user can log in. The root user always exists. However, on Trisquel, it cannot log in unless you first define a password for it (with 'sudo passwd root').

Top
  • +1
    0
    -1
    Please use the rating system to mark posts that go against the Community Guidelines
Thu, 05/28/2020 - 00:31
#4
FernandoV
FernandoV
Offline
Joined: 03/22/2019

Thank you for your reassurance.

Top
  • +1
    0
    -1
    Please use the rating system to mark posts that go against the Community Guidelines