How to install Rkhunter on Linux server
Date: 11-04-2020
Introduction:
Rkhunter (Rootkit Hunter) is an open-source scanner for Linux systems to find out if the server is infected by any rootkits.
A rootkit is a type of software that is designed to hide the existence of certain processes or programs from normal methods of detection.
Rootkits are generally associated with malware- such as Trojans, viruses, worms.
A rootkit an infected server also has access to log files and spy on computer administrator usage.
Rootkit Hunter scans hidden files, wrong permissions set on binaries, suspicious strings in kernel, etc.
Step 1: Downloading Rkhunter:
Let’s move the current directory to the temp directory.
# cd /tmp
Download the latest version of Rkhunter by executing the command below.
#wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz
Step 2: Installing Rkhunter:
Unzip the downloaded rkhunter by using the below command.
#tar -zxvf rkhunter-1.4.2.tar.gz
Change the current working directory to the rkhunter directory.
#cd rkhunter-1.4.2
Install the rkhunter package by executing the installation script.
#./installer.sh –layout default –install
Step 3: Updating Rkhunter:
To check the rkhunter current version.
#/usr/local/bin/rkhunter –versioncheck
To update the rkhunter available latest version.
#/usr/local/bin/rkhunter –update
If the database files are updated, to check and save the updated values and properties,
#/usr/local/bin/rkhunter –propupd
Step 4: Manual Scan and Usage:
To scan the entire file system run.
# rkhunter –check
Sample Output:
[ Rootkit Hunter version 1.4.2 ]
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
Performing file properties checks
Checking for prerequisites [ OK ]
/usr/local/bin/rkhunter [ OK ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chkconfig [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/depmod [ OK ]
/usr/sbin/fsck [ OK ]
/usr/sbin/fuser [ OK ]
/usr/sbin/groupadd [ OK ]
/usr/sbin/groupdel [ OK ]
/usr/sbin/groupmod [ OK ]
/usr/sbin/grpck [ OK ]
/usr/sbin/ifconfig [ OK ]
/usr/sbin/ifdown [ Warning ]
/usr/sbin/ifup [ Warning ]
/usr/sbin/init [ OK ]
/usr/sbin/insmod [ OK ]
/usr/sbin/ip [ OK ]
/usr/sbin/lsmod [ OK ]
/usr/sbin/lsof [ OK ]
/usr/sbin/modinfo [ OK ]
/usr/sbin/modprobe [ OK ]
/usr/sbin/nologin [ OK ]
/usr/sbin/pwck [ OK ]
/usr/sbin/rmmod [ OK ]
/usr/sbin/route [ OK ]
/usr/sbin/rsyslogd [ OK ]
/usr/sbin/runlevel [ OK ]
/usr/sbin/sestatus [ OK ]
/usr/sbin/sshd [ OK ]
/usr/sbin/sulogin [ OK ]
/usr/sbin/sysctl [ OK ]
/usr/sbin/tcpd [ OK ]
/usr/sbin/useradd [ OK ]
/usr/sbin/userdel [ OK ]
/usr/sbin/usermod [ OK ]
....
[Press to continue]
Checking for rootkits...
Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
Adore Rootkit [ Not found ]
aPa Kit [ Not found ]
.....
[Press to continue]
Performing additional rootkit checks
Suckit Rookit additional checks [ OK ]
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ None found ]
....
[Press to continue]
Checking the network...
Performing checks on the network ports
Checking for backdoor ports [ None found ]
....
Performing system configuration file checks
Checking for an SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Warning ]
Checking if SSH protocol v1 is allowed [ Warning ]
Checking for a running system logging daemon [ Found ]
Checking for a system logging configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]
...
System checks summary
=====================
File properties checks...
Files checked: 137
Suspect files: 6
Rootkit checks...
Rootkits checked : 383
Possible rootkits: 0
Applications checks...
Applications checked: 5
Suspect applications: 2
The system checks took: 5 minutes and 38 seconds
All results have been written to the log file: /var/log/rkhunter.log
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
Step 5: Scheduling Automatic Scans:
Setting Cronjob and Email Alerts:
Create a file called rkhunter.sh under /etc/cron.daily/, which then scans your file system every day and sends email notifications to your email id.
Open the file to write the script.
# vi /etc/cron.daily/rkhunter.sh
Paste the below-given script in this file and replace “Server name” with your “Server Host Name” and “mail id” with your “Email Id“.
#!/bin/sh ( /usr/local/bin/rkhunter --versioncheck /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --cronjob --report-warnings-only ) | /bin/mail -s 'rkhunter Daily Run (Server name)' mail id
Change the permission of the file to 755.
# chmod 755 /etc/cron.daily/rkhunter.sh
For more information and options please run the following command
# rkhunter –help
Step 6: Configuration Of Rkhunter
Configuration file of rkhunter is /etc/rkhunter.conf . We can modify the properties of rkhunter accordingly to secure the server.
To restrict the root login to the server over SSH
ALLOW_SSH_ROOT_USER = no
To allow the root login to the server over SSH
ALLOW_SSH_ROOT_USER = yes
Conclusion:
There are several tools you can download to scan your machines and servers for rootkits. So why choose rkhunter? Because of its speed and ease of use. It provides you with a solution to keep your assets free of rootkit and other threatening, malicious programs.