Rkhunter is software that finds rootkits on a Linux server. Rootkits are installed by hackers so that they can always access the server. In this doc, you’ll be able to see how you can prevent rootkits using
rkhunter on Ubuntu.
Step 1: Installing prerequisites
We need to install a number of prerequisites to properly use
apt-get install binutils libreadline5 libruby ruby ruby ssl-cert unhide.rb mailutils
Once the install finishes, you can proceed to the next step.
Step 2: Installing
rkhunter by using
wget hasn’t been installed on your system yet, execute:
apt-get install wget
Untar the download:
tar xzvf rkhunter*
Navigate to the
./installer.sh --layout /usr --install
The installation output should be similar to this:
Checking system for: Rootkit Hunter installer files: found A web file download command: wget found Starting installation: Checking installation directory "/usr": it exists and is writable. Checking installation directories: Directory /usr/share/doc/rkhunter-1.4.2: creating: OK Directory /usr/share/man/man8: exists and is writable. Directory /etc: exists and is writable. Directory /usr/bin: exists and is writable. Directory /usr/lib: exists and is writable. Directory /var/lib: exists and is writable. Directory /usr/lib/rkhunter/scripts: creating: OK Directory /var/lib/rkhunter/db: creating: OK Directory /var/lib/rkhunter/tmp: creating: OK Directory /var/lib/rkhunter/db/i18n: creating: OK Directory /var/lib/rkhunter/db/signatures: creating: OK Installing check_modules.pl: OK Installing filehashsha.pl: OK Installing stat.pl: OK Installing readlink.sh: OK Installing backdoorports.dat: OK Installing mirrors.dat: OK Installing programs_bad.dat: OK Installing suspscan.dat: OK Installing rkhunter.8: OK Installing ACKNOWLEDGMENTS: OK Installing CHANGELOG: OK Installing FAQ: OK Installing LICENSE: OK Installing README: OK Installing language support files: OK Installing ClamAV signatures: OK Installing rkhunter: OK Installing rkhunter.conf: OK Installation complete
Step 3: Using
Data files keep information about possible threats.
Regularly updating your data files is necessary for an up-to-date system. You can update them using the
This will output a list with data files that were updated and those that weren’t updated:
[ Rootkit Hunter version 1.4.2 ] Checking rkhunter data files... Checking file mirrors.dat [ No update ] Checking file programs_bad.dat [ Updated ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ No update ] Checking file i18n/de [ No update ] Checking file i18n/en [ No update ] Checking file i18n/tr [ No update ] Checking file i18n/tr.utf8 [ No update ] Checking file i18n/zh [ No update ] Checking file i18n/zh.utf8 [ No update ]
We are now ready to perform our first test. The test will look for known rootkits and generic security issues (such as root access over SSH) and log its findings. You will manually need to press “Enter” to continue after checks.
After the test, we can see errors and warnings:
Step 4: Enabling email notifications
Rkhunter can be configured to send an email when a threat is found. To configure this feature, start by opening the
MAIL-ON-WARNING, then add an email address.
You can optionally scroll through the configuration for more options, however, by default, it should work fine. You can check your configuration file:
If there’s no output, your configuration file is valid.
Want to contribute?
You could earn up to $300 by adding new articles
Suggest an update
Request an article