Tabla de contenido
In this article, we will explore how to install and configure RKHunter (Rootkit Hunter) on a Linux system. RKHunter is an essential tool for the security of any server, as it allows the detection of rootkits, backdoors, and local exploits on UNIX systems. We will detail each step, from installation to configuration and scheduling automatic scans. This tutorial is designed for users with basic knowledge of Linux system administration.
Installation of RKHunter
Step 1: Update the Repositories
Before installing any new package, it is always a good practice to make sure that the system repositories are up-to-date. This can be done with the command apt update.
apt update
Step 2: Install RKHunter
Once the repositories are updated, we can proceed to install RKHunter along with the basic system tools (coreutils).
apt install coreutils rkhunter -y
Step 3: Download RKHunter Database Repositories
For RKHunter to function correctly, we need to download the necessary data. This can be done with the curl command.
curl https://rkhunter.sourceforge.net/1.4/mirrors.dat > /var/lib/rkhunter/db/mirrors.dat
Configuration of RKHunter
Common Issue: Unable to Update
If we try to update RKHunter immediately after installation, we are likely to encounter an error similar to the following:
root@host# rkhunter --update [ Rootkit Hunter version 1.4.6 ] Checking rkhunter data files... Checking file mirrors.dat [ Skipped ] Checking file programs_bad.dat [ Update failed ] Checking file backdoorports.dat [ Update failed ] Checking file suspscan.dat [ Update failed ] Checking file i18n versions [ Update failed ] Please check the log file (/var/log/rkhunter.log)
Solution: Edit the Configuration File
To solve this problem, we need to edit the RKHunter configuration file (/etc/rkhunter.conf). We will use vi or any other text editor we prefer.
vi /etc/rkhunter.conf
Inside the file, we modify the following parameters:
PKGMGR=DPKG WEB_CMD=wget UPDATE_MIRRORS=1 MIRRORS_MODE=0
Update of RKHunter
After making these changes, we can try to update RKHunter again.
rkhunter --update
If all goes well, we should see a message indicating that the files have been updated successfully.
Version Verification
We can verify that we are using the latest version of RKHunter with the following command:
rkhunter --versioncheck
Performing a System Scan
Once RKHunter is configured and updated, we can proceed to perform a complete system scan.
rkhunter --check
Example Output from a Scan
During the scan, RKHunter will check various aspects of the system, including system commands, shared libraries, and suspicious files. Here is an example of what we might see:
[ Rootkit Hunter version 1.4.6 ]
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
Performing file properties checks
Checking for prerequisites [ OK ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/cron [ OK ]
/usr/sbin/depmod [ OK ]
/usr/sbin/fsck [ OK ]
/usr/sbin/groupadd [ OK ]
/usr/sbin/groupdel [ OK ]
/usr/sbin/groupmod [ OK ]
/usr/sbin/grpck [ OK ]
/usr/sbin/ifconfig [ OK ]
/usr/sbin/init [ OK ]
/usr/sbin/insmod [ OK ]
/usr/sbin/ip [ OK ]
/usr/sbin/lsmod [ OK ]
/usr/sbin/modinfo [ OK ]
/usr/sbin/modprobe [ OK ]
/usr/sbin/nologin [ OK ]
/usr/sbin/pwck [ OK ]
/usr/sbin/rmmod [ OK ]
/usr/sbin/route [ OK ]
/usr/sbin/rsyslogd [ OK ]
/usr/sbin/runlevel [ OK ]
/usr/sbin/sshd [ OK ]
/usr/sbin/sulogin [ OK ]
/usr/sbin/sysctl [ OK ]
/usr/sbin/useradd [ OK ]
/usr/sbin/userdel [ OK ]
/usr/sbin/usermod [ OK ]
/usr/sbin/vipw [ OK ]
/usr/sbin/unhide [ OK ]
/usr/sbin/unhide-linux [ OK ]
/usr/sbin/unhide-posix [ OK ]
/usr/sbin/unhide-tcp [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/basename [ OK ]
/usr/bin/bash [ OK ]
/usr/bin/cat [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/chmod [ OK ]
/usr/bin/chown [ OK ]
/usr/bin/cp [ OK ]
/usr/bin/curl [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/date [ OK ]
/usr/bin/df [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/dmesg [ OK ]
/usr/bin/dpkg [ OK ]
/usr/bin/dpkg-query [ OK ]
/usr/bin/du [ OK ]
/usr/bin/echo [ OK ]
/usr/bin/ed [ OK ]
/usr/bin/egrep [ OK ]
/usr/bin/env [ OK ]
/usr/bin/fgrep [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/fuser [ OK ]
/usr/bin/grep [ OK ]
/usr/bin/groups [ OK ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/ip [ OK ]
/usr/bin/ipcs [ OK ]
/usr/bin/kill [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ OK ]
/usr/bin/ldd [ OK ]
/usr/bin/less [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/login [ OK ]
/usr/bin/ls [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/lsmod [ OK ]
/usr/bin/lsof [ OK ]
/usr/bin/mail [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/mktemp [ OK ]
/usr/bin/more [ OK ]
/usr/bin/mount [ OK ]
/usr/bin/mv [ OK ]
/usr/bin/netstat [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/perl [ OK ]
/usr/bin/pgrep [ OK ]
/usr/bin/ping [ OK ]
/usr/bin/pkill [ OK ]
/usr/bin/ps [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/pwd [ OK ]
/usr/bin/readlink [ OK ]
/usr/bin/rkhunter [ OK ]
/usr/bin/runcon [ OK ]
/usr/bin/sed [ OK ]
/usr/bin/sh [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/sha224sum [ OK ]
/usr/bin/sha256sum [ OK ]
/usr/bin/sha384sum [ OK ]
/usr/bin/sha512sum [ OK ]
/usr/bin/size [ OK ]
/usr/bin/sort [ OK ]
/usr/bin/ssh [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strace [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/su [ OK ]
/usr/bin/sudo [ OK ]
/usr/bin/tail [ OK ]
/usr/bin/telnet [ OK ]
/usr/bin/test [ OK ]
/usr/bin/top [ OK ]
/usr/bin/touch [ OK ]
/usr/bin/tr [ OK ]
/usr/bin/uname [ OK ]
/usr/bin/uniq [ OK ]
/usr/bin/users [ OK ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whatis [ OK ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/usr/bin/numfmt [ OK ]
/usr/bin/kmod [ OK ]
/usr/bin/systemd [ OK ]
/usr/bin/systemctl [ OK ]
/usr/bin/gawk [ OK ]
/usr/bin/bsd-mailx [ OK ]
/usr/bin/dash [ OK ]
/usr/bin/x86_64-linux-gnu-size [ OK ]
/usr/bin/x86_64-linux-gnu-strings [ OK ]
/usr/bin/telnet.netkit [ OK ]
/usr/bin/which.debianutils [ OK ]
/usr/lib/systemd/systemd [ OK ]
[Press to continue]
...
[Press to continue]
System checks summary
=====================
File properties checks...
Files checked: 142
Suspect files: 0
Rootkit checks...
Rootkits checked : 498
Possible rootkits: 0
Applications checks...
All checks skipped
The system checks took: 4 minutes and 25 seconds
All results have been written to the log file: /var/log/rkhunter.log
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
Automation of Scans with Cron
To ensure that our system remains secure, it’s a good idea to schedule automatic scans. We can do this by editing the /etc/crontab file to add the necessary cron jobs. Don’t forget to modify the destination email to receive the alerts.
vi /etc/crontab
Add the following lines to the file:
0 3 * * * root /usr/bin/rkhunter --update >> /var/log/rkhunter_update.log 2>&1 0 2 * * * root /usr/bin/rkhunter --cronjob --update --report-warnings-only | mail -s "RKHunter Daily Scan" your-email@example.com
With this, we have configured a cron job that will update RKHunter daily at 3 AM and perform a daily scan at 2 AM, sending a report by email only if warnings are found.