In this post I will show you how to install and run Rootkit Hunter on your Linux based servers. Rootkit Hunter does what it’s name suggests, hunts for potential rootkits on your server. If you are infected you can try to clean it but you really may want to nuke the server and start from scratch or revert to a previous backup/snapshot if possible. For more information about RKHunter please visit the official Rootkit Hunter website.
Installing Rootkit Hunter
You can install Rootkit Hunter with one of the following commands depending on which Linux distro you are using.
sudo apt-get install rkhunter -y # Debian/Ubuntu sudo yum install rkhunter -y # RHEL/CentOS/Fedora
Now you don’t have to do this step if you don’t want to. That being said it doesn’t hurt and it only takes a moment. Lets start by opening the configuration file located at /etc/default/rkhunter. You will want to change the information to look similar to what I have below.
# Defaults for rkhunter automatic tasks # sourced by /etc/cron.*/rkhunter and /etc/apt/apt.conf.d/90rkhunter # # This is a POSIX shell fragment # # Set this to yes to enable rkhunter daily runs # (default: false) CRON_DAILY_RUN="true" # Set this to yes to enable rkhunter weekly database updates # (default: false) CRON_DB_UPDATE="true" # Set this to yes to enable reports of weekly database updates # (default: false) DB_UPDATE_EMAIL="false" # Set this to the email address where reports and run output should be sent # (default: root) REPORT_EMAIL="firstname.lastname@example.org" # CHANGE THIS TO YOUR EMAIL ADDRESS # Set this to yes to enable automatic database updates # (default: false) APT_AUTOGEN="true" # Nicenesses range from -20 (most favorable scheduling) to 19 (least favorable) # (default: 0) NICE="0" # Should daily check be run when running on battery # powermgmt-base is required to detect if running on battery or on AC power # (default: false) RUN_CHECK_ON_BATTERY="false"
Checking For Rootkits
There are a few ways you can run Rootkit Hunter depending on what level of information you are looking for, and logs will be generated and shown at the end as-well. Here are a list of some of the possibilities below.
sudo rkhunter -C # Check only config files for changes sudo rkhunter -c # Check entire system sudo rkhunter -c --sk # Check entire system, skip press any key to continue sudo rkhunter -c --rwo # Check entire system, only display warnings sudo rkhunter -c --sk | grep -A12 -i "summary" # Check entire system, only display the summary
Manually Maintaining And Updating RKHunter
IMPORTANT: Whenever you change a configuration file such as /etc/ssh/sshd_config for example, you need to update Rootkit Hunter’s database or else it will give you a warning when running checks. You can do this by running the following command. If you changed the RKHunter configuration in the previous step then you should run the command below.
sudo rkhunter --propupd
To update the definitions/signatures you can run the following command, you can also schedule this as a cronjob as-well if you would like automatic daily updates (you can enable weekly updates in the configuration but why not do it daily?).
sudo echo "rkhunter --update" > /etc/cron.daily/rkhunter-update # Create daily cronjob for RKHunter updates sudo rkhunter --update # Manually update
I hope this guide has helped you setup and user Rootkit Hunter on your servers. Please don’t forget to like/comment/share, Thanks!