Using rkhunter to Secure a Linux Server
rkhunter (Rootkit Hunter) is a Linux/Unix based tool to scan possible rootkits, backdoors and local exploits. Rootkits are the hidden tools or programs that attackers/intruders upload in Linux servers to gain them the server access. rkhunter scans for hidden files, binary files with wrong and/or full permissions, possible threats in the kernel by analysing kernel strings, compare MD5 hashes, checks network, application versions etc.
In this tutorial, we will go through how rkhunter application can be installed and how it can be scheduled for automated scans.
Installing rkhunter on your Linux server
Change current working directory to the desired installation directory.
Download the rkhunter package using wget command.
Unzip the downloaded rkhunter archive.
tar -zxvf rkhunter-1.4.2.tar.gz
Change the current working directory to the rkhunter directory.
Install the rkhunter package by executing the installation script.
./installer.sh --layout default --install
This will install the rkhuter tool in the server. Now
rkhunter Update and Options
To check the rkhunter current version,
To update the rkhunter version,
If the database files are updated, to check and save the updated values and properties,
You can refer the other rkhunter options with,
Configuration of rkhunter
Configuration file of rkhunter is /etc/rkhunter.conf By changing the parameter values in this file, we can modify the properties of rkhunter accordingly to secure the server. For example, if we set the parameter,
ALLOW_SSH_ROOT_USER = no
This will restrict the root login to server over SSH. If this is set as
ALLOW_SSH_ROOT_USER = yes
Root login over SSH is possible.
Here are some of the config file parameters.
Installation directory of rkhunter is specified with,
Database directory is specified with,
Script directory is specified with,
Temporary directory of rhunter application is specified with,
Manual Scan with rkhunter
To run a manual scan with rkhunter run,
By default, rkhunter runs in interactive mode. rkhunter performs a series of scans and after each set of scans you’ll need to hit Enter to continue.
To skip interactive mode run,
/usr/local/bin/rkhunter -c -sk
To scan the entire file system run,
Sheduling Automatic Scans with rkhunter
To create a scheduled automatic scan, create a script which executes rkhunter scan and Emails the scan result in the directory /etc/cron.daily to run the script daily. If you want to run rkhunter scan weekly, upload the script in the directory /etc/cron.weekly
Open the file to write the script.
Paste the below given script in this file.
#!/bin/sh ( /usr/local/bin/rkhunter --versioncheck /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --cronjob --report-warnings-only ) | /bin/mail -s 'rkhunter Daily Run (ServerHostname)' [email protected]
Make sure you change ServerHostname and [email protected] with the actual server hostname and the Email adress to which the notifications are to be sent.
Change the permission of the file to 755.
chmod 755 /etc/cron.daily/rkhunter.sh
With this being done, rkhunter script will be executed by the cron daemon daily and the script runs the rkhunter scan and Emails the scan report to the provided Email address.
The rkhunter log
All the activities done and the error encountered by the application will be logged in the rkhunter log. By default rkhunter log file is,
Here is a screenshot of the portion of the manual rkhunter scan.
All the suspected files and applications can be found from the rkhunter log and you need to verify this manually.
Using rkhunter is one of the basic ways you can secure your server. If you have a Cloud VPS you might also be interested in an article we have created on securing a Linux server using CSF.