Introduction

rkhunter (Rootkit Hunter) is a powerful tool for Linux administrators, designed to detect rootkits, backdoors, and other vulnerabilities. This guide covers everything you need to know about using rkhunter, from installation to advanced commands and configurations.

1. Installing rkhunter

On RHEL-based systems (Rocky Linux, AlmaLinux, CentOS):

sudo dnf install epel-release -y
sudo dnf install rkhunter -y

On Debian-based systems (Ubuntu, Debian):

sudo apt update
sudo apt install rkhunter -y

Verify Installation

Check the installed version:

rkhunter --version

2. Configuring rkhunter

Open the Configuration File

sudo nano /etc/rkhunter.conf

Key Options to Configure

  • Email Alerts: MAIL-ON-WARNING=admin@yourdomain.com
  • Allow Root SSH Login: ALLOW_SSH_ROOT_USER=no
  • Disable Specific Tests (optional): DISABLE_TESTS=suspscan

3. Understanding Key Configuration Files

Difference Between /etc/sysconfig/rkhunter and /etc/rkhunter.conf

  1. /etc/sysconfig/rkhunter
    • Located in the /etc/sysconfig directory, this file is for environment-specific settings.
    • Example: Configure the MAILTO variable here to set where email alerts should be sent for automated scans.
    • Example Setting:MAILTO=admin@yourdomain.com
  2. /etc/rkhunter.conf
    • The main configuration file where you define core tool settings.
    • Controls tests to perform, warnings to generate, and how rkhunter behaves.
    Key Options in /etc/rkhunter.conf:
    • MAIL-ON-WARNING=admin@yourdomain.com – Email alerts for warnings.
    • ALLOW_SSH_ROOT_USER=no – Restrict SSH root login.
    • DISABLE_TESTS=suspscan – Disable optional tests.
    Summary:
    • /etc/rkhunter.conf manages rkhunter functionality.
    • /etc/sysconfig/rkhunter customizes how the system integrates and automates rkhunter operations.

4. Common Commands and Examples

A. Run a Full System Scan

sudo rkhunter --check

B. Skip Interactive Prompts

Useful for automation:

sudo rkhunter --check --sk

C. Generate a Detailed Report

Output only warnings in scan results:

sudo rkhunter --check --report-warnings-only

Reports are saved in:

/var/log/rkhunter.log

D. Update rkhunter’s Database

Keep the signature database updated:

sudo rkhunter --update

E. Update File Properties Database

Run this after updates or new installations:

sudo rkhunter --propupd

5. Automating rkhunter Scans

Use Cron to Schedule Scans

  1. Open the crontab file: sudo crontab -e
  2. Add this line to schedule a daily scan at 2 AM: 0 2 * * * /usr/bin/rkhunter --check --sk --report-warnings-only | mail -s "rkhunter Daily Report" admin@yourdomain.com

6. Key Tests Performed by rkhunter

A. Rootkit Detection

Scans system binaries for known rootkits:

sudo rkhunter --check --test rootkits

B. File Permissions Check

Detects unauthorized changes to file permissions:

sudo rkhunter --check --test file-permissions

C. Hidden Files Check

Finds suspicious hidden files:

sudo rkhunter --check --test hidden-files

D. Malware Suspect Files

Checks for files with known malware signatures:

sudo rkhunter --check --test malware

7. Analyzing Logs and Reports

View Recent Logs

sudo tail -f /var/log/rkhunter.log

Search for Warnings

sudo grep "Warning" /var/log/rkhunter.log

Export Logs for Sharing

sudo cp /var/log/rkhunter.log ~/rkhunter_scan_report.txt

8. Troubleshooting

A. Warning: File Properties Have Changed

Update the file properties database:

sudo rkhunter --propupd

B. Warning: Found Suspicious File

Investigate manually:

ls -l /path/to/suspicious_file
cat /path/to/suspicious_file

C. Email Alerts Not Received

  • Check the Postfix mail queue:sudo postqueue -p
  • Review mail logs:sudo tail -f /var/log/maillog

9. Advanced Options

A. Customizing Tests

Disable specific tests:

DISABLE_TESTS=apps,filesystem

B. Running Specific Tests

Run only selected tests:

sudo rkhunter --check --test rootkits,hidden-files

C. Silent Mode

Run without console output:

sudo rkhunter --check --quiet

Conclusion

rkhunter is an essential tool for Linux administrators to identify and mitigate security risks. By configuring both /etc/sysconfig/rkhunter and /etc/rkhunter.conf, you can tailor email alerts, tests, and automation to suit your needs. Regular scans, database updates, and log monitoring ensure a robust defense against potential threats.

Bookmark this guide for quick reference and stay secure!

Categorized in:

Cybersecurity, Linux Administration,

Last Update: November 26, 2024

Tagged in:

, , , , , , , , , , , , , , , , , , , , , , , ,