1

Rkhunter shows that nginx uses two UDP ports rather than 80 and 443 which I have of course enabled, but not those which rkhunter shows as hidden ports:

  [12:56:58]   Checking for hidden ports                       [ Warning ]
[12:56:58] Warning: Hidden ports found:
[12:56:58]          Port number: UDP:38885 is being used by /usr/sbin/nginx
[12:56:58]          Port number: UDP:41551 is being used by /usr/sbin/nginx

But the problem is that netstat -tulpen does not show this ports:

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      106        5680        953/mysqld      
tcp        0      0 127.0.0.1:139           0.0.0.0:*               LISTEN      0          5679        1165/smbd       
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      109        10695       879/memcached   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          1491203     9596/nginx.conf 
tcp        0      0 127.0.0.1:4949          0.0.0.0:*               LISTEN      0          9833        1097/perl       
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      113        8904        872/named       
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          9967        1454/master     
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      113        8909        872/named       
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      0          1491204     9596/nginx.conf 
tcp        0      0 127.0.0.1:445           0.0.0.0:*               LISTEN      0          5678        1165/smbd       
tcp        0      0 0.0.0.0:14081           0.0.0.0:*               LISTEN      0          9761        876/sshd        
tcp6       0      0 ::1:953                 :::*                    LISTEN      113        8910        872/named       
tcp6       0      0 :::14081                :::*                    LISTEN      0          9763        876/sshd        
udp        0      0 127.0.0.1:11211         0.0.0.0:*                           109        10696       879/memcached   
udp        0      0 127.0.0.1:53            0.0.0.0:*                           113        8903        872/named       
udp     4480      0 0.0.0.0:137             0.0.0.0:*                           0          9110        1080/nmbd       
udp        0      0 0.0.0.0:138             0.0.0.0:*                           0          9111        1080/nmbd

So, what is wrong?

fkin
  • 83
  • 10
  • Maybe this can help you: `udp 0 0 (my.ip):38885 8.8.8.8:53 ESTABLISHED 9597/nginx: worker` – fkin Mar 13 '16 at 14:03
  • That's a regular connection between `nginx` and a DNS name server (port 53) – Richard Smith Mar 13 '16 at 14:05
  • Oh, I see. I use 8.8.8.8 as a resolver for OCSP Stapling. This is the cause, isn't it? How I define nginx as a exception in rkhunter, because the ports are always different, so it doesn't makes sense to define a port as a exception, so I want the application as a exemption for ports. – fkin Mar 13 '16 at 14:08

0 Answers0