A site for solving at least some of your technical problems...
Network TCP port 7000 is being used by /usr/bin/keybase.
Submitted by Alexis Wilke on Wed, 05/02/2018 - 10:15
Discovery
Today I got an email from rkhunter telling me that port 7000 is now opened by /usr/bin/keybase that looked as follow:
Warning: Network TCP port 7000 is being used by /usr/bin/keybase. Possible rootkit: Possible rogue IRC bot
Use the 'lsof -i' or 'netstat -an' command to check this.
If you are also running rkhunter, you certainly got the exact same message.
Verification
After close look up, I could see that was safe.
1) The process listening on port 7000 is indeed keybase, try the following command:
sudo netstat -a64np Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name [...] tcp 0 0 127.0.0.1:7000 0.0.0.0:* LISTEN 27742/keybase [...]
As we can see, the State (column generated when you use the -p command line option) includes the PID and name of the process owning port 7000. It is keybase alright.
2) My list of entries in tripwire clearly says that keybase was updated yesterday:
---------------------------------------------------- Rule Name: Other binaries (/usr/bin) Severity Level: 66 ---------------------------------------------------- Modified: [...] "/usr/bin/keybase" "/usr/bin/keybase-redirector" [...]
So here I had about enough information to know that port 7000 was not a trojan horse of some kind.
Another thing, in the output list above in (1), there was no one connected to port 7000. If a hacker had installed such a trojan horse, he would be using it and there would be a ton of connections (unless that one is very smart, which is probably unlikely?)
There is an example of a connection to port 80 (to Apache, the HTTP server I run):
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name [...] tcp6 0 0 96.67.192.225:80 95.216.11.151:31090 ESTABLISHED 2428/apache2 [...]
As we can see, a connection can be found by looking for ":7000" and I could not find anything.
Allowing keybase to use port 7000
In order to allow keybase to use port 7000 without getting a warning all the time, you want to edit your own rkhunter configuration file.
I strongly suggest that you do not edit the default /etc/rkhunter.conf file.
On Ubuntu, you can add new configuration files under:
/etc/rkhunter.d
Here you can place a file that will be read by rkhunter.
The filename should start with two digits which allows for sorting the files (i.e. later files may override some parameters from former files.)
In your case, you may want to use something like:
sudo vim /etc/rkhunter.d/50-perso.conf
To edit that file with vim (use pico if you don't know vim, it will be easier. Use Ctrl-X to save your changes.)
Note that I suggest you use number 50 in this case. This will allow other systems to add and/or remove other entries before or after your file. It is customary to be at the center, although if you want to be able to override anyone else settings, using 99 is also a good idea.
What you have to add to that file is the following line:
PORT_PATH_WHITELIST=/usr/bin/keybase:TCP:7000
This tells rkhunter to ignore (let go) a connection error on port 700 if the process that owns that port is /usr/bin/keybase and it uses the TCP protocol.
Note that it's possible to add a line to ignore any process using port 7000:
PORT_WHITELIST=TCP:7000
You can also specify the process without the protocol and port:
PORT_PATH_WHITELIST=/usr/bin/keybase
Yet, I think that the safest way to tweak your system is to be overly specific and include all possible parameters (path, protocol, and port.)
Conflict with Cassandra
In my development, I use Cassandra with Snap! C++.
Cassandra also uses port 7000 as its storage port.
If you want to use both tools simultaneously, you will have to edit the settings of one or the other and fix the port.
On my end I would suggest you change the port for keybase because Cassandra's tool can then all be used as is. I don't know whether keybase will have similar tools that will require you to specify the port every time if you don't leave the default in the settings...
Editing your Cassandra Settings
Find your cassandra.yaml file and edit it:
# TCP port, for commands and data # For security reasons, you should not expose this port to the internet. Firewall it if needed. storage_port: 7000
Notice the security warning. I also suggest you keep that port double safe.
You may need to update all the tools/CMS/etc. that make use of that port to connect to Cassandra.
Editing your Keybase Settings
Right now, I don't have an answer on this one. I'll be back once I have something I can include here.
Well... I talked with someone at Keybase and they said they would change the port number. It's now 16423 so we're good in terms of port number. It won't raise a flag by rkhunter and it's not in conflict with Cassandra anymore.
The sad part is that I've not seen a way to change the port with a settings file. Oh well.