Introduction
rkhunter (Rootkit Hunter) is a powerful tool for Linux administrators, designed to detect rootkits, backdoors, and other vulnerabilities. This guide covers everything you need to know about using rkhunter, from installation to advanced commands and configurations.
1. Installing rkhunter
On RHEL-based systems (Rocky Linux, AlmaLinux, CentOS):
On Debian-based systems (Ubuntu, Debian):
Verify Installation
Check the installed version:
2. Configuring rkhunter
Open the Configuration File
Key Options to Configure
- Email Alerts:
MAIL-ON-WARNING=admin@yourdomain.com - Allow Root SSH Login:
ALLOW_SSH_ROOT_USER=no - Disable Specific Tests (optional):
DISABLE_TESTS=suspscan
3. Understanding Key Configuration Files
Difference Between /etc/sysconfig/rkhunter and /etc/rkhunter.conf
/etc/sysconfig/rkhunter- Located in the
/etc/sysconfigdirectory, this file is for environment-specific settings. - Example: Configure the
MAILTOvariable here to set where email alerts should be sent for automated scans. - Example Setting:
MAILTO=admin@yourdomain.com
- Located in the
/etc/rkhunter.conf- The main configuration file where you define core tool settings.
- Controls tests to perform, warnings to generate, and how
rkhunterbehaves.
/etc/rkhunter.conf:MAIL-ON-WARNING=admin@yourdomain.com– Email alerts for warnings.ALLOW_SSH_ROOT_USER=no– Restrict SSH root login.DISABLE_TESTS=suspscan– Disable optional tests.
/etc/rkhunter.confmanagesrkhunterfunctionality./etc/sysconfig/rkhuntercustomizes how the system integrates and automatesrkhunteroperations.
4. Common Commands and Examples
A. Run a Full System Scan
B. Skip Interactive Prompts
Useful for automation:
C. Generate a Detailed Report
Output only warnings in scan results:
Reports are saved in:
D. Update rkhunter’s Database
Keep the signature database updated:
E. Update File Properties Database
Run this after updates or new installations:
5. Automating rkhunter Scans
Use Cron to Schedule Scans
- Open the crontab file:
sudo crontab -e - Add this line to schedule a daily scan at 2 AM:
0 2 * * * /usr/bin/rkhunter --check --sk --report-warnings-only | mail -s "rkhunter Daily Report" admin@yourdomain.com
6. Key Tests Performed by rkhunter
A. Rootkit Detection
Scans system binaries for known rootkits:
B. File Permissions Check
Detects unauthorized changes to file permissions:
C. Hidden Files Check
Finds suspicious hidden files:
D. Malware Suspect Files
Checks for files with known malware signatures:
7. Analyzing Logs and Reports
View Recent Logs
Search for Warnings
Export Logs for Sharing
8. Troubleshooting
A. Warning: File Properties Have Changed
Update the file properties database:
B. Warning: Found Suspicious File
Investigate manually:
C. Email Alerts Not Received
- Check the Postfix mail queue:
sudo postqueue -p - Review mail logs:
sudo tail -f /var/log/maillog
9. Advanced Options
A. Customizing Tests
Disable specific tests:
B. Running Specific Tests
Run only selected tests:
C. Silent Mode
Run without console output:
Conclusion
rkhunter is an essential tool for Linux administrators to identify and mitigate security risks. By configuring both /etc/sysconfig/rkhunter and /etc/rkhunter.conf, you can tailor email alerts, tests, and automation to suit your needs. Regular scans, database updates, and log monitoring ensure a robust defense against potential threats.
Bookmark this guide for quick reference and stay secure!
