rkhunter reports numerous warnings on haproxy open ports

Asked Nov 28 '20 at 09:08

Active Nov 28 '20 at 09:08

Viewed 175 times

Recently I have installed RKhunter (v1.4.2) on a couple of loadbalancers ( Haproxy 2.0.14 ) running on Debian 9. Stretch. While performing a full system check I'm getting a lot or warnings about tcp ports being used by Haproxy. They look like this:

         Use the 'lsof -i' or 'netstat -an' command to check this.
Warning: Network TCP port 13000 is being used by /usr/sbin/haproxy. Possible rootkit: Possible Universal Rootkit (URK) SSH server
         Use the 'lsof -i' or 'netstat -an' command to check this.
Warning: Network TCP port 47018 is being used by /usr/sbin/haproxy. Possible rootkit: Possible Universal Rootkit (URK) component
         Use the 'lsof -i' or 'netstat -an' command to check this.*

Also, it seems that I cannot simply whitelist those ports as they seem to keep changing. What one would do in this case ?

asked Nov 28 '20 at 09:08

cparfon

Maybe haproxy is opening the port at a low-level, and rkhunter is freaking at that? – Ángel Nov 30 '20 at 02:30
Yeah, that's precisely what is happening. – cparfon Dec 02 '20 at 07:08

rkhunter reports numerous warnings on haproxy open ports

0 Answers0