Introduction
Rkhunter (Rootkit Hunter) is an open-source security tool used to scan Linux systems for rootkits, backdoors, and other potential security threats. It works by comparing file hashes, checking for suspicious strings in kernel modules, and verifying system binaries against known good values.
Installing Rkhunter on your Linux server helps enhance system security by providing regular scans and alerts for any unauthorized changes or malicious activities. It is widely used by system administrators as part of a proactive security monitoring strategy.
Pre-requisites
Before installing Rkhunter, ensure the following requirements are met:
- You should have a running Linux server (e.g., CentOS, RHEL, Ubuntu, Debian).
- Administrative access is required to install packages and run security scans.
IMPLEMENTATION
Step 1: Downloading Rkhunter:
Let’s move the current directory to the temp directory.
# cd /tmp
Download the latest version of Rkhunter by executing the command below.
#wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz
Step 2: Installing Rkhunter:
Unzip the downloaded rkhunter by using the below command.
#tar -zxvf rkhunter-1.4.2.tar.gz
Change the current working directory to the rkhunter directory.
#cd rkhunter-1.4.2
Install the rkhunter package by executing the installation script.
#./installer.sh –layout default –install
Step 3: Updating Rkhunter:
To check the rkhunter current version.
#/usr/local/bin/rkhunter –versioncheck
To update the rkhunter available latest version.
#/usr/local/bin/rkhunter –update
If the database files are updated, to check and save the updated values and properties,
#/usr/local/bin/rkhunter –propupd
Step 4: Manual Scan and Usage:
To scan the entire file system run.
# rkhunter –check
Sample Output:
[ Rootkit Hunter version 1.4.2 ]
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
Performing file properties checks
Checking for prerequisites [ OK ]
/usr/local/bin/rkhunter [ OK ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chkconfig [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/depmod [ OK ]
/usr/sbin/fsck [ OK ]
/usr/sbin/fuser [ OK ]
/usr/sbin/groupadd [ OK ]
/usr/sbin/groupdel [ OK ]
/usr/sbin/groupmod [ OK ]
/usr/sbin/grpck [ OK ]
/usr/sbin/ifconfig [ OK ]
/usr/sbin/ifdown [ Warning ]
/usr/sbin/ifup [ Warning ]
/usr/sbin/init [ OK ]
/usr/sbin/insmod [ OK ]
/usr/sbin/ip [ OK ]
/usr/sbin/lsmod [ OK ]
/usr/sbin/lsof [ OK ]
/usr/sbin/modinfo [ OK ]
/usr/sbin/modprobe [ OK ]
/usr/sbin/nologin [ OK ]
/usr/sbin/pwck [ OK ]
/usr/sbin/rmmod [ OK ]
/usr/sbin/route [ OK ]
/usr/sbin/rsyslogd [ OK ]
/usr/sbin/runlevel [ OK ]
/usr/sbin/sestatus [ OK ]
/usr/sbin/sshd [ OK ]
/usr/sbin/sulogin [ OK ]
/usr/sbin/sysctl [ OK ]
/usr/sbin/tcpd [ OK ]
/usr/sbin/useradd [ OK ]
/usr/sbin/userdel [ OK ]
/usr/sbin/usermod [ OK ]
....
[Press to continue]
Checking for rootkits...
Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
Adore Rootkit [ Not found ]
aPa Kit [ Not found ]
.....
[Press to continue]
Performing additional rootkit checks
Suckit Rookit additional checks [ OK ]
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ None found ]
....
[Press to continue]
Checking the network...
Performing checks on the network ports
Checking for backdoor ports [ None found ]
....
Performing system configuration file checks
Checking for an SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Warning ]
Checking if SSH protocol v1 is allowed [ Warning ]
Checking for a running system logging daemon [ Found ]
Checking for a system logging configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]
...
System checks summary
=====================
File properties checks...
Files checked: 137
Suspect files: 6
Rootkit checks...
Rootkits checked : 383
Possible rootkits: 0
Applications checks...
Applications checked: 5
Suspect applications: 2
The system checks took: 5 minutes and 38 seconds
All results have been written to the log file: /var/log/rkhunter.log
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
Step 5: Scheduling Automatic Scans:
Setting Cronjob and Email Alerts:
Create a file called rkhunter.sh under /etc/cron.daily/, which then scans your file system every day and sends email notifications to your email id.
Open the file to write the script.
# vi /etc/cron.daily/rkhunter.sh
Paste the below-given script in this file and replace “Server name” with your “Server Host Name” and “mail id” with your “Email Id“.
#!/bin/sh ( /usr/local/bin/rkhunter --versioncheck /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --cronjob --report-warnings-only ) | /bin/mail -s 'rkhunter Daily Run (Server name)' mail id
Change the permission of the file to 755.
# chmod 755 /etc/cron.daily/rkhunter.sh
For more information and options please run the following command
# rkhunter –help
Step 6: Configuration Of Rkhunter
Configuration file of rkhunter is /etc/rkhunter.conf . We can modify the properties of rkhunter accordingly to secure the server.
To restrict the root login to the server over SSH
ALLOW_SSH_ROOT_USER = no
To allow the root login to the server over SSH
ALLOW_SSH_ROOT_USER = yes
Conclusion:
Installing Rkhunter on a Linux server is a simple yet effective step toward strengthening system security. By regularly scanning for rootkits and suspicious activities, it helps administrators detect potential threats early and take corrective actions.
While Rkhunter is not a complete security solution on its own, it serves as a valuable addition to your overall security strategy when combined with firewalls, intrusion detection systems, and regular system updates. Keeping Rkhunter updated and running scheduled scans ensures continuous monitoring and improved protection of your server environment.