RKHunter (Rootkit Hunter) is a security scanner for POSIX systems that looks for rootkits, backdoors and local exploits. It does this by comparing the SHA-256 hashes of important system files against known-good values, by looking for incorrect file permissions, suspicious strings in kernel modules, and by running specific tests for the various operating systems.
Why use RKHunter?
- Post-compromise detection: Helps determine whether a system has been compromised by a rootkit.
- Security audit: Part of a regular security audit to verify system integrity.
- Lightweight and simple: Easy to install and use from the command line.
Prerequisites
- A Linux server (Ubuntu/Debian, CentOS/RHEL, etc.).
- Root access or sudo privileges.
Installation
# On Debian / Ubuntu
sudo apt-get update
sudo apt-get install -y rkhunter
# On CentOS / RHEL (via the EPEL repository)
sudo yum install -y epel-release
sudo yum install -y rkhunter
Configuration and first run
Step 1: Update the databases
Before the first scan, it is crucial to update RKHunter's signatures.
sudo rkhunter --updateStep 2: Populate the file properties
RKHunter needs to create a "baseline" of your system, that is, a database of the current state of your files. This command must be run on a system that you know to be "clean".
sudo rkhunter --propupdThis database will be used during future scans to detect changes.
Step 3: Run the first scan
Run the check command. The --check option starts the scan, and --sk (skip-keypress) avoids having to press "Enter" after each section.
sudo rkhunter --check --skOn the first scan, it is almost certain that you will get several warnings. Most of them are false positives caused by the specific configuration of your system. Your job is to examine them one by one.
Analyzing the report and handling false positives
The scan report is located in /var/log/rkhunter.log.
sudo less /var/log/rkhunter.logLook for lines containing `[ Warning ]`. For each warning, you need to determine whether it is a real problem or a false positive.
Example of a common false positive: "The file ` /usr/sbin/unhide` was found. It is a rootkit detection tool."
If you installed `unhide` yourself, this is a false positive. You can tell RKHunter to ignore it by editing its configuration file /etc/rkhunter.conf.
sudo nano /etc/rkhunter.confFind the appropriate directive (e.g. `ALLOW_SSH_ROOT_USER` or `SCRIPTWHITELIST`) and add the file or parameter you want to whitelist.
After adding exceptions, run rkhunter --propupd again to update the baseline, then a new rkhunter --check --sk to verify that the warnings have disappeared.
Automating scans
It is essential to scan your system regularly. You can easily create a cron job for this.
sudo nano /etc/cron.daily/rkhunter-scanAdd the following content for a daily scan:
#!/bin/sh
(
/usr/bin/rkhunter --update
/usr/bin/rkhunter --cronjob --report-warnings-only
) | mail -s "RKHunter report for $(hostname)" [email protected]
Make this script executable:
sudo chmod +x /etc/cron.daily/rkhunter-scanRKHunter is often used in tandem with another tool called
chkrootkit. The two tools have slightly different detection methods, and using them together provides better coverage.
Conclusion
RKHunter is an essential security tool that should be part of the basic arsenal of any Linux system administrator. Although it requires some initial effort to sort through the false positives, once configured and automated it provides valuable and silent monitoring of your system's integrity. It is your "canary in the coal mine", which will alert you if anything suspicious happens.
Comments