Rkhunter is software that finds rootkits on a Linux server. Rootkits are installed by hackers so that they can always access the server. In this doc, you’ll be able to see how you can prevent rootkits using rkhunter on Ubuntu.
Step 1: Installing prerequisites
We need to install a number of prerequisites to properly use rkhunter:
apt-get install binutils libreadline5 libruby ruby ruby ssl-cert unhide.rb mailutils
Once the install finishes, you can proceed to the next step.
Step 2: Installing rkhunter
We’ll download rkhunter by using wget. If wget hasn’t been installed on your system yet, execute:
apt-get install wget
Now download rkhunter:
wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz
Untar the download:
tar xzvf rkhunter*
Navigate to the rkhunter directory:
cd rkhunter*
Install rkhunter:
./installer.sh --layout /usr --install
The installation output should be similar to this:
Checking system for:
Rootkit Hunter installer files: found
A web file download command: wget found
Starting installation:
Checking installation directory "/usr": it exists and is writable.
Checking installation directories:
Directory /usr/share/doc/rkhunter-1.4.2: creating: OK
Directory /usr/share/man/man8: exists and is writable.
Directory /etc: exists and is writable.
Directory /usr/bin: exists and is writable.
Directory /usr/lib: exists and is writable.
Directory /var/lib: exists and is writable.
Directory /usr/lib/rkhunter/scripts: creating: OK
Directory /var/lib/rkhunter/db: creating: OK
Directory /var/lib/rkhunter/tmp: creating: OK
Directory /var/lib/rkhunter/db/i18n: creating: OK
Directory /var/lib/rkhunter/db/signatures: creating: OK
Installing check_modules.pl: OK
Installing filehashsha.pl: OK
Installing stat.pl: OK
Installing readlink.sh: OK
Installing backdoorports.dat: OK
Installing mirrors.dat: OK
Installing programs_bad.dat: OK
Installing suspscan.dat: OK
Installing rkhunter.8: OK
Installing ACKNOWLEDGMENTS: OK
Installing CHANGELOG: OK
Installing FAQ: OK
Installing LICENSE: OK
Installing README: OK
Installing language support files: OK
Installing ClamAV signatures: OK
Installing rkhunter: OK
Installing rkhunter.conf: OK
Installation complete
Step 3: Using rkhunter
Data files keep information about possible threats.
Regularly updating your data files is necessary for an up-to-date system. You can update them using the rkhunter command:
rkhunter --update
This will output a list with data files that were updated and those that weren’t updated:
[ Rootkit Hunter version 1.4.2 ]
Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ Updated ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/tr [ No update ]
Checking file i18n/tr.utf8 [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
We are now ready to perform our first test. The test will look for known rootkits and generic security issues (such as root access over SSH) and log its findings. You will manually need to press “Enter” to continue after checks.
After the test, we can see errors and warnings:
cat /var/log/rkhunter.log
Step 4: Enabling email notifications
Rkhunter can be configured to send an email when a threat is found. To configure this feature, start by opening the rkhunter.conf file:
vi /etc/rkhunter.conf
Search for MAIL-ON-WARNING, then add an email address.
You can optionally scroll through the configuration for more options, however, by default, it should work fine. You can check your configuration file:
rkhunter -C
If there’s no output, your configuration file is valid.
Want to contribute?
You could earn up to $300 by adding new articles
Suggest an update
Request an article
