Using rkhunter to Secure a Linux Server

rkhunter (Rootkit Hunter) is a Linux/Unix based tool to scan possible rootkits, backdoors and local exploits. Rootkits are the hidden tools or programs that attackers/intruders upload in Linux servers to gain them the server access. rkhunter scans for hidden files, binary files with wrong and/or full permissions, possible threats in the kernel by analysing kernel strings, compare MD5 hashes, checks network, application versions etc.

In this tutorial, we will go through how rkhunter application can be installed and how it can be scheduled for automated scans.

Installing rkhunter on your Linux server

Change current working directory to the desired installation directory.

cd /usr/local/src

Download the rkhunter package using wget command.

wget http://dfn.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.4.2.tar.gz

Unzip the downloaded rkhunter archive.

tar -zxvf rkhunter-1.4.2.tar.gz

Change the current working directory to the rkhunter directory.

cd rkhunter-1.4.2

Install the rkhunter package by executing the installation script.

./installer.sh --layout default --install

This will install the rkhuter tool in the server. Now

rkhunter Update and Options

To check the rkhunter current version,

/usr/local/bin/rkhunter --versioncheck

To update the rkhunter version,

/usr/local/bin/rkhunter --update

If the database files are updated, to check and save the updated values and properties,

/usr/local/bin/rkhunter --propupd

You can refer the other rkhunter options with,

/usr/local/bin/rkhunter --help

Configuration of rkhunter

Configuration file of rkhunter is /etc/rkhunter.conf By changing the parameter values in this file, we can modify the properties of rkhunter accordingly to secure the server. For example, if we set the parameter,

ALLOW_SSH_ROOT_USER = no

This will restrict the root login to server over SSH. If this is set as

ALLOW_SSH_ROOT_USER = yes

Root login over SSH is possible.

Here are some of the config file parameters.

Installation directory of rkhunter is specified with,

INSTALLDIR=/path/of/installation/directory

Database directory is specified with,

DBDIR=/var/lib/rkhunter/db

Script directory is specified with,

SCRIPTDIR=/usr/local/lib64/rkhunter/scripts

Temporary directory of rhunter application is specified with,

TMPDIR=/var/lib/rkhunter/tmp

Manual Scan with rkhunter

To run a manual scan with rkhunter run,

/usr/local/bin/rkhunter -c

By default, rkhunter runs in interactive mode. rkhunter performs a series of scans and after each set of scans you’ll need to hit Enter to continue.

To skip interactive mode run,

/usr/local/bin/rkhunter -c -sk

To scan the entire file system run,

rkhunter --check

Sheduling Automatic Scans with rkhunter

To create a scheduled automatic scan, create a script which executes rkhunter scan and Emails the scan result in the directory /etc/cron.daily to run the script daily. If you want to run rkhunter scan weekly, upload the script in the directory /etc/cron.weekly

Open the file to write the script.

vi /etc/cron.daily/rkhunter.sh

Paste the below given script in this file.

#!/bin/sh

(

/usr/local/bin/rkhunter --versioncheck

/usr/local/bin/rkhunter --update

/usr/local/bin/rkhunter --cronjob --report-warnings-only

) | /bin/mail -s 'rkhunter Daily Run (ServerHostname)' [email protected]

 

Make sure you change ServerHostname and [email protected] with the actual server hostname and the Email adress to which the notifications are to be sent.

Change the permission of the file to 755.

chmod 755 /etc/cron.daily/rkhunter.sh

With this being done, rkhunter script will be executed by the cron daemon daily and the script runs the rkhunter scan and Emails the scan report to the provided Email address.

The rkhunter log

All the activities done and the error encountered by the application will be logged in the rkhunter log. By default rkhunter log file is,

/var/log/rkhunter.log

Here is a screenshot of the portion of the manual rkhunter scan.

rkhunter

All the suspected files and applications can be found from the rkhunter log and you need to verify this manually.

Using rkhunter is one of the basic ways you can secure your server. If you have a Cloud VPS you might also be interested in an article we have created on securing a Linux server using CSF.

Leave a Reply

Your email address will not be published. Required fields are marked *