Rkhunter is software that finds rootkits on a Linux server. Rootkits are installed by hackers so that they can always access the server. In this doc, you'll be able to see how you can prevent rootkits using
rkhunter on Ubuntu.
We need to install a number of prerequisites to properly use
apt-get install binutils libreadline5 libruby ruby ruby ssl-cert unhide.rb mailutils
Once the install finishes, you can proceed to the next step.
rkhunter by using
wget hasn't been installed on your system yet, execute:
apt-get install wget
Untar the download:
tar xzvf rkhunter*
Navigate to the
./installer.sh --layout /usr --install
The installation output should be similar to this:
Checking system for: Rootkit Hunter installer files: found A web file download command: wget found Starting installation: Checking installation directory "/usr": it exists and is writable. Checking installation directories: Directory /usr/share/doc/rkhunter-1.4.2: creating: OK Directory /usr/share/man/man8: exists and is writable. Directory /etc: exists and is writable. Directory /usr/bin: exists and is writable. Directory /usr/lib: exists and is writable. Directory /var/lib: exists and is writable. Directory /usr/lib/rkhunter/scripts: creating: OK Directory /var/lib/rkhunter/db: creating: OK Directory /var/lib/rkhunter/tmp: creating: OK Directory /var/lib/rkhunter/db/i18n: creating: OK Directory /var/lib/rkhunter/db/signatures: creating: OK Installing check_modules.pl: OK Installing filehashsha.pl: OK Installing stat.pl: OK Installing readlink.sh: OK Installing backdoorports.dat: OK Installing mirrors.dat: OK Installing programs_bad.dat: OK Installing suspscan.dat: OK Installing rkhunter.8: OK Installing ACKNOWLEDGMENTS: OK Installing CHANGELOG: OK Installing FAQ: OK Installing LICENSE: OK Installing README: OK Installing language support files: OK Installing ClamAV signatures: OK Installing rkhunter: OK Installing rkhunter.conf: OK Installation complete
Data files keep information about possible threats.
Regularly updating your data files is necessary for an up-to-date system. You can update them using the
This will output a list with data files that were updated and those that weren't updated:
[ Rootkit Hunter version 1.4.2 ] Checking rkhunter data files... Checking file mirrors.dat [ No update ] Checking file programs_bad.dat [ Updated ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ No update ] Checking file i18n/de [ No update ] Checking file i18n/en [ No update ] Checking file i18n/tr [ No update ] Checking file i18n/tr.utf8 [ No update ] Checking file i18n/zh [ No update ] Checking file i18n/zh.utf8 [ No update ]
We are now ready to perform our first test. The test will look for known rootkits and generic security issues (such as root access over SSH) and log its findings. You will manually need to press "Enter" to continue after checks.
After the test, we can see errors and warnings:
Rkhunter can be configured to send an email when a threat is found. To configure this feature, start by opening the
MAIL-ON-WARNING, then add an email address.
You can optionally scroll through the configuration for more options, however, by default, it should work fine. You can check your configuration file:
If there's no output, your configuration file is valid.