In this article, we want to teach you to install and Configure Rootkit Hunter (rkhunter) in Linux.
RK Hunter which stands for Rootkit Hunter is an open-source Linux and Unix-based scanner for Linux systems released under GPL that scans backdoors, rootkits, and local exploits on your systems.
It scans hidden files, wrong permissions set on binaries, suspicious strings in the kernel, etc.
Steps To Install and Configure Rootkit Hunter in Linux
Here you can start to install Rootkit Hunter on the Linux system.
In this part, we want to show you how to install Rootkit Hunter on RPM packages for Centos, RedHat, AlmaLinux, etc., and DEB packages for Debian, Ubuntu, etc.
We run commands as a root user, if you are a non-root user be sure that you have sudo privileges.
Step 1- Set Up Rootkit Hunter on AlmaLinux / Centos / RHEL
First, you need to download the latest version of the Rootkit Hunter tool by visiting the Rootkit Hunter project page.
Navigate to the tmp directory, copy the link address of Rootkit Hunter, and put it in the following wget command:
Note: If you don’t have the wget tool, you need to install it first on your server with the following command:
# dnf install wget or # yum install wget
After this, execute the wget command above to download the latest version of Rootkit Hunter in Linux.
When you are finished downloading the Rootkit Hunter, then, you can start to install it.
Run the following commands to install the Rootkit Hunter. Extract your downloaded file with the command below:
tar -xvf rkhunter-1.4.6.tar.gz
Switch to the rkhunter directory:
Next, run the installer script:
./installer.sh --layout default --install
In your output, you should see:
Output Checking system for: Rootkit Hunter installer files: found A web file download command: wget found Starting installation: Checking installation directory "/usr/local": it exists and is writable. Checking installation directories: Directory /usr/local/share/doc/rkhunter-1.4.6: creating: OK Directory /usr/local/share/man/man8: exists and is writable. Directory /etc: exists and is writable. ... Installing ACKNOWLEDGMENTS: OK Installing CHANGELOG: OK Installing FAQ: OK Installing LICENSE: OK Installing README: OK Installing language support files: OK Installing ClamAV signatures: OK Installing rkhunter: OK Installing rkhunter.conf: OK Installation complete
When you are done with the installation of the Rootkit Hunter, you need to update it.
Update Rootkit Hunter on AlmaLinux / Centos / RHEL
You can use the rkhunter updater to fill the database properties in Linux. To do this, run the command below:
Output [ Rootkit Hunter version 1.4.6 ] Checking rkhunter data files... Checking file mirrors.dat [ Updated ] Checking file programs_bad.dat [ No update ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ No update ] Checking file i18n/de [ No update ] Checking file i18n/en [ No update ] Checking file i18n/tr [ No update ] Checking file i18n/tr.utf8 [ No update ] Checking file i18n/zh [ No update ] Checking file i18n/zh.utf8 [ No update ] Checking file i18n/ja [ No update ]
Then run the following command:
Output [ Rootkit Hunter version 1.4.6 ] File created: searched for 176 files, found 129, missing hashes 1
Set up Cronjob for Rkhunter
At this point, you can set up cronjob and Email alerts for Rootkit Hunter in Linux.
Here, you need to create a file named rkhunter.sh under the /etc/crondaily/ directory.
It will scan your file system every day and send an email notification to your email address. To do this, you can use your favorite text editor to create the file like vi editor or nano editor. Here we use vi text editor:
Then, add the following lines to your file. Remember to replace the server name and email address with yours.
#!/bin/sh ( /usr/local/bin/rkhunter --versioncheck /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --cronjob --report-warnings-only ) | /bin/mail -s 'rkhunter Daily Run (your-server-name)' email@example.com
Now set the correct permissions to your file with the following command:
chmod 755 /etc/cron.daily/rkhunter.sh
Step 2 – Set Up Rootkit Hunter on Debian / Ubuntu
To install Rootkit Hunter on Debian / Ubuntu Linux distros follow these instructions.
First, you need to update the APT packages with the following command:
Then install Rootkit with the following command:
apt install rkhunter
Configure rkhunter on Debian / Ubuntu
Now you need to edit the Rootkit hunter config file. Run the command below to open the file, you can use your favorite editor:
Be sure that the following lines are set to these:
UPDATE_MIRRORS=1 MIRRORS_MODE=0 WEB_CMD="" ALLOW_SSH_PROT_V1=0
Here, you need to enable cronjobs. Run the following command to open the Rootkit default file:
Set the following lines to these:
CRON_DAILY_RUN="true" CRON_DB_UPDATE="true" APT_AUTOGEN="true"
You can check your configuration with:
To check that you have the latest Rootkit definitions, run the following command:
Then, check your version is up to date with:
Output [ Rootkit Hunter version 1.4.6 ] Checking rkhunter version... This version : 1.4.6 Latest version: 1.4.6
Now run the command below to update the rkhunter data file of stored values with the current values:
Here, you can see how Rootkit Hunter works in Linux.
Step 3 – Use Rootkit Hunter in Linux Terminal
Run the following command to scan the entire file system:
When you run the Rootkit hunter command, in your output, you will see something similar to this:
... /usr/bin/dirname [ OK ] /usr/bin/dmesg [ OK ] /usr/bin/du [ OK ] /usr/bin/echo [ OK ] /usr/bin/ed [ OK ] /usr/bin/egrep [ Warning ] /usr/bin/env [ OK ] /usr/bin/fgrep [ Warning ] /usr/bin/file [ OK ] /usr/bin/find [ OK ] ... [Press <ENTER> to continue] Checking for rootkits... Performing check of known rootkit files and directories 55808 Trojan - Variant A [ Not found ] ADM Worm [ Not found ] AjaKit Rootkit [ Not found ] Adore Rootkit [ Not found ] aPa Kit [ Not found ] Apache Worm [ Not found ] Ambient (ark) Rootkit [ Not found ] [Press <ENTER> to continue] Performing additional rootkit checks Suckit Rootkit additional checks [ OK ] .... Performing malware checks Checking running processes for suspicious files [ None found ] Checking for login backdoors [ None found ] Checking for sniffer log files [ None found ] Checking for suspicious directories [ None found ] ... Checking kernel module names [ OK ] [Press <ENTER> to continue] Checking the network... Performing checks on the network ports Checking for backdoor ports [ None found ] ... Checking for an SSH configuration file [ Found ] [Press <ENTER> to continue] System checks summary ===================== File properties checks... Files checked: 129 Suspect files: 6 Rootkit checks... Rootkits checked : 380 Possible rootkits: 0 Applications checks... All checks skipped The system checks took: 2 minutes and 21 seconds All results have been written to the log file: /var/log/rkhunter.log One or more warnings have been found while checking the system. Please check the log file (/var/log/rkhunter.log)
The above command generates a log file under /var/log/rkhunter.log with the check results made by Rootkit Hunter.
Run the following command to check the rkhunter log file:
Output .... [05:41:44] System checks summary [05:41:44] ===================== [05:41:44] [05:41:44] File properties checks... [05:41:44] Files checked: 129 [05:41:44] Suspect files: 6 [05:41:44] [05:41:44] Rootkit checks... [05:41:44] Rootkits checked : 380 [05:41:44] Possible rootkits: 0 [05:41:44] [05:41:44] Applications checks... [05:41:44] All checks skipped [05:41:44] [05:41:44] The system checks took: 2 minutes and 21 seconds [05:41:44] [05:41:44] Info: End date is Wed Sep 8 05:41:44 EDT 2021
Also, for more information about Rootkit Hunter, you can use the following command:
Or, you can read the man page for rkhunter in Linux:
At this point, you learn what is RKH, and also, you know How to install and configure Rootkit Hunter (rkhunter) in Linux Terminal.
Hope you enjoy it.
You may like these articles: