Install And Use Rootkit Hunter On Linux Server

In this post I will show you how to install and run Rootkit Hunter on your Linux based servers. Rootkit Hunter does what it’s name suggests, hunts for potential rootkits on your server. If you are infected you can try to clean it but you really may want to nuke the server and start from scratch or revert to a previous backup/snapshot if possible. For more information about RKHunter please visit the official Rootkit Hunter website.

Installing Rootkit Hunter

You can install Rootkit Hunter with one of the following commands depending on which Linux distro you are using.

sudo apt-get install rkhunter -y # Debian/Ubuntu
sudo yum install rkhunter -y # RHEL/CentOS/Fedora

Configuring RKHunter

Now you don’t have to do this step if you don’t want to. That being said it doesn’t hurt and it only takes a moment. Lets start by opening the configuration file located at /etc/default/rkhunter. You will want to change the information to look similar to what I have below.

# Defaults for rkhunter automatic tasks
# sourced by /etc/cron.*/rkhunter and /etc/apt/apt.conf.d/90rkhunter
#
# This is a POSIX shell fragment
#

# Set this to yes to enable rkhunter daily runs
# (default: false)
CRON_DAILY_RUN="true"

# Set this to yes to enable rkhunter weekly database updates
# (default: false)
CRON_DB_UPDATE="true"

# Set this to yes to enable reports of weekly database updates
# (default: false)
DB_UPDATE_EMAIL="false"

# Set this to the email address where reports and run output should be sent
# (default: root)
REPORT_EMAIL="youremail@domain.com" # CHANGE THIS TO YOUR EMAIL ADDRESS

# Set this to yes to enable automatic database updates
# (default: false)
APT_AUTOGEN="true"

# Nicenesses range from -20 (most favorable scheduling) to 19 (least favorable)
# (default: 0)
NICE="0"

# Should daily check be run when running on battery
# powermgmt-base is required to detect if running on battery or on AC power
# (default: false)
RUN_CHECK_ON_BATTERY="false"

Checking For Rootkits

There are a few ways you can run Rootkit Hunter depending on what level of information you are looking for, and logs will be generated and shown at the end as-well. Here are a list of some of the possibilities below.

sudo rkhunter -C # Check only config files for changes
sudo rkhunter -c # Check entire system
sudo rkhunter -c --sk # Check entire system, skip press any key to continue
sudo rkhunter -c --rwo # Check entire system, only display warnings
sudo rkhunter -c --sk | grep -A12 -i "summary" # Check entire system, only display the summary

Manually Maintaining And Updating RKHunter

IMPORTANT: Whenever you change a configuration file such as /etc/ssh/sshd_config for example, you need to update Rootkit Hunter’s database or else it will give you a warning when running checks. You can do this by running the following command. If you changed the RKHunter configuration in the previous step then you should run the command below.

sudo rkhunter --propupd

To update the definitions/signatures you can run the following command, you can also schedule this as a cronjob as-well if you would like automatic daily updates (you can enable weekly updates in the configuration but why not do it daily?).

sudo echo "rkhunter --update" > /etc/cron.daily/rkhunter-update # Create daily cronjob for RKHunter updates
sudo rkhunter --update # Manually update

I hope this guide has helped you setup and user Rootkit Hunter on your servers. Please don’t forget to like/comment/share, Thanks!

You may also like

Leave a Reply

Your email address will not be published. Required fields are marked *