What Watchdog warnings can be safely ignored on a Plesk server

Follow

Comments

7 comments

  • Avatar
    Marco Marsala (Edited )

    Forgot to mention that MagicSpam too will throw the following warning message. You should whitelist your processes by default.

    [01:01:55] Info: Starting test name 'ipc_shared_mem'
    [01:01:55]   Checking for suspicious shared memory segments  [ Warning ]
    [01:01:55] Warning: The following suspicious shared memory segments have been found:
    [01:01:55]          Process:     PID: 4023    Owner: magicspam
    [01:01:55]          Process: /usr/sbin/apache2    PID: 10275    Owner: root

  • Avatar
    Artyom Baranov

    @Marco Marsala

    Thank you for noticing, Marco! I have updated the article.

  • Avatar
    Christian Heutger

    Why doesn't plesk then whitelist this warnings by default?

  • Avatar
    Ivan Postnikov

    @Christian Heutger

    Hello!
    These warnings are not whitelisted by default as they may be useful for troubleshooting.

    Feel free to create functionality suggestions at Plesk User Voice.

  • Avatar
    Aniello Martuscelli

    I got this warning

    [01:15:10]   /opt/psa/etc/modules/watchdog/rkhunter.conf     [ Warning ]
    [01:15:10] Warning: Package manager verification has failed:
    [01:15:10]          File: /opt/psa/etc/modules/watchdog/rkhunter.conf
    [01:15:10]          The file hash value has changed

  • Avatar
    Ivan Postnikov

    @Aniello, this warning appears in the log, when Watchdog configuration has been changed via Plesk. It may be safely ignored.

  • Avatar
    Nadir Latif (Edited )

    If you dont wish to receive the Plesk warning emails, then you need to Whitelist the false positive warnings. To Whitelist the warnings you need to set the following options in: /usr/local/psa/etc/modules/watchdog/rkhunter.conf

    # Used to suppress the warning: "Warning: Package manager verification has failed"
    PKGMGR_NO_VRFY="/usr/local/psa/etc/modules/watchdog/rkhunter.conf"

    # Used to suppress the warning: "Warning: Hidden file found"
    ALLOWHIDDENFILE=/etc/.updated
    ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz
    ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
    ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz

    # Used to suppress the warning: "Warning: The following suspicious shared memory segments have been found"
    ALLOWIPCPROC=/usr/sbin/httpd

    # Used to suppress the warning: "Warning: No output found from the lsmod command or the /proc/modules file"
    DISABLE_TESTS=suspscan hidden_ports hidden_procs deleted_files packet_cap_apps apps os_specific

    # Used to suppress the warning: "Warning: Found enabled xinetd service"
    XINETD_ALLOWED_SVC=/etc/xinetd.d/ftp_psa
    XINETD_ALLOWED_SVC=/etc/xinetd.d/poppassd_psa

    Since the rkhunter.conf file may be overwritten after a Plesk update, a better option is to create a file rkhunter.conf.local in the folder: /usr/local/psa/etc/modules/watchdog and add the above customized options to the file.

    After that run the RKhunter from the Plesk Watchdog. It should not send the warning email because there are no warnings to report. The "Scanning Status" box will show no warnings.

    This has been tested on Plesk Onyx 17.8.11

Please sign in to leave a comment.

Have more questions? Submit a request