Introduction

rkhunter (Rootkit Hunter) is a powerful tool for Linux administrators, designed to detect rootkits, backdoors, and other vulnerabilities. This guide covers everything you need to know about using rkhunter, from installation to advanced commands and configurations.

1. Installing rkhunter

On RHEL-based systems (Rocky Linux, AlmaLinux, CentOS):

sudo dnf install epel-release -y
sudo dnf install rkhunter -y

On Debian-based systems (Ubuntu, Debian):

sudo apt update
sudo apt install rkhunter -y

Verify Installation

Check the installed version:

rkhunter --version

2. Configuring rkhunter

Open the Configuration File

sudo nano /etc/rkhunter.conf

Key Options to Configure

  • Email Alerts: MAIL-ON-WARNING=admin@yourdomain.com
  • Allow Root SSH Login: ALLOW_SSH_ROOT_USER=no
  • Disable Specific Tests (optional): DISABLE_TESTS=suspscan

3. Common Commands and Examples

A. Run a Full System Scan

Scan the system for rootkits, malware, and vulnerabilities:

sudo rkhunter --check

B. Skip Interactive Prompts

Use this for automation:

sudo rkhunter --check --sk

C. Generate a Detailed Report

Output only warnings in the scan results:

sudo rkhunter --check --report-warnings-only

Reports are saved at:

/var/log/rkhunter.log

D. Update rkhunter’s Database

Keep the signature database updated:

sudo rkhunter --update

E. Update File Properties Database

Run this after updates or new installations:

sudo rkhunter --propupd

4. Automating rkhunter Scans

Use Cron to Schedule Scans

  1. Open the crontab file: sudo crontab -e
  2. Add this line to schedule a daily scan at 2 AM: 0 2 * * * /usr/bin/rkhunter --check --sk --report-warnings-only | mail -s "rkhunter Daily Report" admin@yourdomain.com

5. Key Tests Performed by rkhunter

A. Rootkit Detection

Scans system binaries for known rootkits:

sudo rkhunter --check --test rootkits

B. File Permissions Check

Detects unauthorized changes to file permissions:

sudo rkhunter --check --test file-permissions

C. Hidden Files Check

Finds suspicious hidden files:

sudo rkhunter --check --test hidden-files

D. Malware Suspect Files

Checks for files with known malware signatures:

sudo rkhunter --check --test malware

6. Analyzing Logs and Reports

View Recent Logs

sudo tail -f /var/log/rkhunter.log

Search for Warnings

sudo grep "Warning" /var/log/rkhunter.log

Export Logs for Sharing

sudo cp /var/log/rkhunter.log ~/rkhunter_scan_report.txt

7. Troubleshooting

A. Warning: File Properties Have Changed

Update the file properties database:

sudo rkhunter --propupd

B. Warning: Found Suspicious File

Investigate manually:

ls -l /path/to/suspicious_file
cat /path/to/suspicious_file

C. Email Alerts Not Received

  • Check the Postfix mail queue: sudo postqueue -p
  • Review mail logs: sudo tail -f /var/log/maillog

8. Advanced Options

A. Customizing Tests

Disable specific tests:

DISABLE_TESTS=apps,filesystem

B. Running Specific Tests

Run only selected tests:

sudo rkhunter --check --test rootkits,hidden-files

C. Silent Mode

Run without console output:

sudo rkhunter --check --quiet

Conclusion

rkhunter is a crucial tool for Linux administrators to identify and mitigate security risks. Regular scans and proper configuration ensure your system remains secure. Automate scans and monitor logs to maintain a robust defense against potential threats.

Categorized in:

Cybersecurity, Linux Administration,

Last Update: November 19, 2024

Tagged in:

, , , , , , , , , , , , , , , , , , , , , , , ,