Articles in this section

See more

What Watchdog warnings can be safely ignored on a Plesk server

Avatar
Kuzma Ivanov
Updated
Follow
Plesk for Linux kb: how-to ABT: Group B

Applicable to:

  • Plesk for Linux

Question

What Watchdog warnings can be safely ignored?

Answer

The following list of warnings can be safely ignored:

  • The file has changed - This warning appears in the log, when Watchdog configuration has been changed via Plesk:

    CONFIG_TEXT: [00:00:00] Warning: Package manager verification has failed:
    [00:00:00] File: /usr/local/psa/etc/modules/watchdog/rkhunter.conf
    [00:00:00] The file hash value has changed
    [00:00:00] The file size has changed
    [00:00:00] The file modification time has changed

  • Suspicious shared memory segments - Shared memory segments below are owned by Apache, Plesk, Postgres and MagicSpam:

    CONFIG_TEXT: [00:00:00] Warning: The following suspicious shared memory segments have been found:
    [00:00:00] Process: /usr/sbin/httpd PID: 9522 Owner: root
    [00:00:00] Process: PID: 25000 Owner: psaadm
    [00:00:00] Process: /usr/bin/postgres PID: 9759 Owner: postgres
    [00:00:00] Process: PID: 4023 Owner: magicspam
    [00:00:00] Process: /usr/sbin/apache2 PID: 10275 Owner: root

  • Found enabled xinetd service - The 'xinetd' service is a part of the Plesk functionality.

    CONFIG_TEXT: [00:00:00] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
    [00:00:00] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa

  • No output found from the lsmod command on a OpenVZ containers - if the server is an OpenVZ container, it is expected that 'lsmod' command returns an empty output as modules are managed by a hypervisor:

    CONFIG_TEXT: [00:00:00] Checking loaded kernel modules [ Warning ]
    [00:00:00] Warning: No output found from the lsmod command or the /proc/modules file:
    [00:00:00] /proc/modules output:
    [00:00:00] lsmod output:
    [00:00:00] Info: Using modules pathname of '/lib/modules'

  • Hidden file/directories found

    • The /usr/share/man/ directory is used for package manuals.

    • The /dev/.udev directory is created by the 'udevd' daemon and is used for system boot process.

    • *.hmac files are used for messages authentication.

    • The /etc/.java file is created by OpenJDK, and it's safe.

    • The /etc/.updated file is created by systemd-update-done.service (its purpose is to hold a timestamp of the time this directory was updated) and it is safe

    CONFIG_TEXT: [00:00:00] Warning: Hidden directory found: /dev/.udev
    [00:00:00] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
    [00:00:00] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
    [00:00:00] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
    [00:00:00] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
    [00:00:00] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
    [00:00:00] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
    [00:00:00] Warning: Hidden directory found: /etc/.java
    [00:00:00] Warning: Hidden file found: /etc/.updated: ASCII text

 

Additional information

For more information about Watchdog (System Monitoring) Component, see this Plesk documentation page.

For the purpose of scanning the server for malware, Watchdog uses the Rootkit Hunter utility. For more information about Rootkit Hunter, visit the Rootkit Hunter developer's Web site.

Comments

11 comments

Sort by Date Votes
  • Avatar
    Marco Marsala (Edited )

    Forgot to mention that MagicSpam too will throw the following warning message. You should whitelist your processes by default.

    [01:01:55] Info: Starting test name 'ipc_shared_mem'
[01:01:55]   Checking for suspicious shared memory segments  [ Warning ]
[01:01:55] Warning: The following suspicious shared memory segments have been found:
[01:01:55]          Process:     PID: 4023    Owner: magicspam
[01:01:55]          Process: /usr/sbin/apache2    PID: 10275    Owner: root

    0
    Comment actions Permalink
  • Avatar
    Artyom Baranov

    @Marco Marsala

    Thank you for noticing, Marco! I have updated the article.

    0
    Comment actions Permalink
  • Avatar
    Christian Heutger

    Why doesn't plesk then whitelist this warnings by default?

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    @Christian Heutger

    Hello!
    These warnings are not whitelisted by default as they may be useful for troubleshooting.

    Feel free to create functionality suggestions at Plesk User Voice.

    0
    Comment actions Permalink
  • Avatar
    Aniello Martuscelli

    I got this warning

    [01:15:10]   /opt/psa/etc/modules/watchdog/rkhunter.conf     [ Warning ]
    [01:15:10] Warning: Package manager verification has failed:
    [01:15:10]          File: /opt/psa/etc/modules/watchdog/rkhunter.conf
    [01:15:10]          The file hash value has changed

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    @Aniello, this warning appears in the log, when Watchdog configuration has been changed via Plesk. It may be safely ignored.

    0
    Comment actions Permalink
  • Avatar
    Nadir Latif (Edited )

    If you dont wish to receive the Plesk warning emails, then you need to Whitelist the false positive warnings. To Whitelist the warnings you need to set the following options in: /usr/local/psa/etc/modules/watchdog/rkhunter.conf

    # Used to suppress the warning: "Warning: Package manager verification has failed"
    PKGMGR_NO_VRFY="/usr/local/psa/etc/modules/watchdog/rkhunter.conf"

    # Used to suppress the warning: "Warning: Hidden file found"
    ALLOWHIDDENFILE=/etc/.updated
    ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
    ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
    ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz

    # Used to suppress the warning: "Warning: The following suspicious shared memory segments have been found"
    ALLOWIPCPROC=/usr/sbin/httpd

    # Used to suppress the warning: "Warning: No output found from the lsmod command or the /proc/modules file"
    DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps apps os_specific

    # Used to suppress the warning: "Warning: Found enabled xinetd service"
    XINETD_ALLOWED_SVC=/etc/xinetd.d/ftp_psa
    XINETD_ALLOWED_SVC=/etc/xinetd.d/poppassd_psa

    Since the rkhunter.conf file may be overwritten after a Plesk update, a better option is to create a file rkhunter.conf.local in the folder: /usr/local/psa/etc/modules/watchdog and add the above customized options to the file.

    After that run the RKhunter from the Plesk Watchdog. It should not send the warning email because there are no warnings to report. The "Scanning Status" box will show no warnings.

    This has been tested on Plesk Onyx 17.8.11

    3
    Comment actions Permalink
  • Avatar
    Ales

    I advise against adding os_specific to the list of disabled rkhunter tests as this disables more than just checking for kernel modules. This is the directive that works for us:

    # Add avail_modules and loaded_modules to DISABLE_TESTS to suppress:
#  "Warning: The kernel modules directory '/lib/modules' is missing or empty."
ENABLE_TESTS=ALL
DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps apps avail_modules loaded_modules

    You might try to omit the avail_modules (add just loaded_modules, the rest is the default in our instalation), depending on your server configuration.

    1
    Comment actions Permalink
  • Avatar
    Graham Jones

    I have added a local rkhunter - but it is ignored. So too is the rkhunter.d directory. Unless I edit the actual rkhunter.conf file I get an error message constantly saying "Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/lwp-request" If I comment out the line for lwp-request on rkhunter.conf Watchdog proceeds OK. However, that means if rkhunter.conf is updated it will need editing again.

    So there are two issues for me.

    1. Why is rkhunter.d or rkhunter.conf.local being ignored?

    2. Why is the lwp-request line happening in the first place?

    0
    Comment actions Permalink
  • Avatar
    Robert Asilbekov

    @Graham Jones,

    > 1. Why is rkhunter.d or rkhunter.conf.local being ignored?

    I was not able to reproduce the issue. Please ensure that you have followed instructions provided in the "/usr/local/psa/etc/modules/watchdog/rkhunter.conf" file and all your custom config files are named and placed accordingly. 

    =====
    You can create a local configuration file. The local file must be named 'rkhunter.conf.local', and must reside in the same directory as this file. Alternatively you can create a directory, named 'rkhunter.d', which also must be in the same directory as this configuration file. Within the 'rkhunter.d' directory you can place further configuration files. There is no restriction on the file names used, other than they must end in '.conf'
    =====

    > 2. Why is the lwp-request line happening in the first place

    The "lwp-request" is provided by "perl-libwww-perl" package that is likely missing on the server.

    0
    Comment actions Permalink
  • Avatar
    Christian Vestol

    Is this also one to safely ignore (to add to the list, improve in relation to wathdog)? From what I can gather and understand this is not really suspicious or am I wrong?

    [01:03:20] Checking /dev for suspicious file types [ Warning ]
    [01:03:20] Warning: Suspicious file types found in /dev:
    [01:03:20] /dev/shm/PostgreSQL.1527236830: data
    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles