strange UFW blocks on startup

4 réponses [Dernière contribution]
FernandoV
Hors ligne
A rejoint: 03/22/2019

Hello, need some security advice. When I booted my trisquel MINI today I got this in dmesg:

[ 161.844271] wlp7s0: associated
[ 161.983982] IPv6: ADDRCONF(NETDEV_CHANGE): wlp7s0: link becomes ready
[ 162.183763] [UFW BLOCK] IN=wlp7s0 OUT= MAC= SRC=192.168.1.2 DST=224.0.0.252 LEN=53 TOS=0x00 PREC=0x00 TTL=255 ID=27883 PROTO=UDP SPT=5355 DPT=5355 LEN=33
[ 162.434936] [UFW BLOCK] IN=wlp7s0 OUT= MAC= SRC=192.168.1.2 DST=224.0.0.252 LEN=53 TOS=0x00 PREC=0x00 TTL=255 ID=27891 PROTO=UDP SPT=5355 DPT=5355 LEN=33

I have no programs configured to start on boot. There should be no calls to outside?

I tried to find some info on the ip 224.0.0.252 to no avail.

FernandoV
Hors ligne
A rejoint: 03/22/2019

Also ran rkhunter script. Found something:

[16:49:19] /usr/bin/lwp-request [ Warning ]
[16:49:19] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl -w script, ASCII text executable

Info: Found an SSH configuration file: /etc/ssh/sshd_config
[16:51:28] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[16:51:28] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[16:51:28] Checking if SSH root access is allowed [ Warning ]
[16:51:29] Warning: The SSH and rkhunter configuration options should be the same:
[16:51:29] SSH configuration option 'PermitRootLogin': prohibit-password
[16:51:29] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no

[16:51:34] Warning: Hidden directory found: /etc/.java
[16:51:34] Warning: Hidden file found: /etc/.sudoers.tmp.swp: data

That file /etc/.sudoers.tmp.swp contains one line: "b0nano 2.5.3"

This and misconfigured SSH to allow root login makes me a bit nervous.

Where can I check what executes on startup? Should I delete the suspicious files?
I disabled SSH root login right away. I never configured it myself, so the options are *somebody* configed it, or it was this way with default trisquel install.

amenex
Hors ligne
A rejoint: 01/03/2015

Magic Banana said:
By default, Trisquel does not have a root user. As a consequence, it cannot log in, even locally.

When mate's System Monitor is running, under Processes, the following programs appear with user set to root:
ksoftirqd/0, ksoftirqd/2, or ksoftirqd/3, and Xorg occasionally, as the need occurs.

I've even seen "nobody" running dnsmasq.

It would be a relief to know that this is normal operation.

The rest of us get root privileges with sudo.

George Langford

Magic Banana

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/24/2010

It is normal operation. The k at the beginning of each of those processes stands for "kernel". The kernel obviously runs with all privileges. And, as you write, so does everything you execute with 'sudo'. But that does not entail a root user can log in. The root user always exists. However, on Trisquel, it cannot log in unless you first define a password for it (with 'sudo passwd root').

FernandoV
Hors ligne
A rejoint: 03/22/2019

Thank you for your reassurance.