We all know how important security is on internet facing machines these days, which means it’s important to know what’s going on on our servers. One of the tools we can use to help audit Unix/Linux based servers is Rootkit Hunter (or RKHunter) – while it won’t stop anyone from breaking in, it will alert us to any rootkits that have been installed, as well as warning us if any of the common installed tools such as SSH, for example, are out of date or have been replaced by an exploited version.
It’s not perfect, and can give some false positives, but I shall go into this later.
You can obtain the latest release from its SourceForge download area. In this example, I’ve copied the direct link from University of Kent’s mirror, you can download it from there, or your nearest mirror.
cd /usr/src
wget http://kent.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.2.tar.gz
tar zxvf rkhunter-1.3.2.tar.gz
cd rkhunter-1.3.2
./installer.sh --layout default --install
That’s it installed. We can now try it out and then set it up to run automatically once a day and send us a report.
Note: if you are running it for the first time, or just after an update, it may give you a message about running it with the “–propupd” option. This is to update its file properties database, and should only need to be done the once.
Update its database files:
/usr/local/bin/rkhunter --update
Run an interactive system check:
/usr/local/bin/rkhunter -c
Now, fire up your favourite text editor (I use Joe – Joe’s Own Editor), whether it’s Vi, Nano or whatever, and we’ll create a script that will check for a new version, update itself and scan once a day.
joe /etc/cron.daily/rkhunter.sh
And we’ll use this code to do the work:
#!/bin/sh
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'RKHunter Daily Run [YourServerName]' you@youremail.here
The options above are: –versioncheck first checks if a newer version of Rootkit Hunter exists, and –update updates the database before scanning. The last two are –cronjob, which makes RKHunter scan without the need for user input, and removes colours from its output, and finally, –report-warnings-only which (as its name suggests) only reports warnings and errors, instead of a complete (and long) list.
Make sure that the script is executable:
chmod 755 /etc/cron.daily/rkhunter.sh
Now run the script manually to test that it works:
/etc/cron.daily/rkhunter.sh
You should now get a daily e-mail containing the results!
I did touch on false positives earlier in this article, which is something that does happen. Sometimes RKHunter does not have information on particular file(s) for your distro, so will report a warning on it, or a distro maintainer will incorporate a fix into a current version (known as backporting) that they know is stable. The result of this is that when RKHunter checks for software versions with known vulnerabilities, certain software will report an earlier version than RKHunter thinks is “safe”, so will give a warning.
In these cases, you’ll have to check that the software is up to date, and that (if RKHunter reports it’s been changed) it is an original, unmodified version. You can get more help and report false positives on the users mailing list – more details can be found on the project home page.