Rkhunter stands for “Rootkit Hunter” is a free and open-source vulnerability scanner for Linux operating systems. It scans for rootkits, and other possible vulnerabilities including, hidden files, wrong permissions set on binaries, suspicious strings in kernel etc. It compares the SHA-1 hashes of all files in your local system with the known good hashes in an online database. It also checks the local system commands, startup files, and network interfaces for listening services and applications.
In this tutorial, we will explain, how to install and use Rkhunter on Debian 10 server.
Prerequisites
- A server running Debian 10.
- A root password is configured on the server.
Install and Configure Rkhunter
By default, the Rkhunter package is available in the Debian 10 default repository. You can install it by simply running the following command:
apt-get install rkhunter -y
Once the installation is completed, you will need to configure Rkhunter before scanning your system. You can configure it by editing the file /etc/rkhunter.conf.
nano /etc/rkhunter.conf
Change the following lines:
#Enable the mirror checks. UPDATE_MIRRORS=1 #Tells rkhunter to use any mirror. MIRRORS_MODE=0 #Specify a command which rkhunter will use when downloading files from the Internet WEB_CMD=""
Save and close the file when you are finished. Next, verify the Rkhunter for any configuration syntax error with the following command:
rkhunter -C
Update Rkhunter and Set the Security Baseline
Next, you will need to update the data file from the internet mirror. You can update it with the following command:
rkhunter --update
You should get the following output:
[ Rootkit Hunter version 1.4.6 ] Checking rkhunter data files... Checking file mirrors.dat [ Updated ] Checking file programs_bad.dat [ No update ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ Skipped ] Checking file i18n/de [ Skipped ] Checking file i18n/en [ No update ] Checking file i18n/tr [ Skipped ] Checking file i18n/tr.utf8 [ Skipped ] Checking file i18n/zh [ Skipped ] Checking file i18n/zh.utf8 [ Skipped ] Checking file i18n/ja [ Skipped ]
Next, verify the Rkhunter version information with the following command:
rkhunter --versioncheck
You should get the following output:
[ Rootkit Hunter version 1.4.6 ] Checking rkhunter version... This version : 1.4.6 Latest version: 1.4.6
Next, set the security baseline with the following command:
rkhunter --propupd
You should get the following output:
[ Rootkit Hunter version 1.4.6 ] File updated: searched for 180 files, found 140
Perform Test Run
At this point, Rkhunter is installed and configured. Now, its time to perform the security scan against your system. You do it by running the following command:
rkhunter --check
You will need to press Enter for every security check as shown below:
System checks summary
=====================
File properties checks...
Files checked: 140
Suspect files: 3
Rootkit checks...
Rootkits checked : 497
Possible rootkits: 0
Applications checks...
All checks skipped
The system checks took: 2 minutes and 10 seconds
All results have been written to the log file: /var/log/rkhunter.log
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
You can use the option –sk to avoid pressing Enter and the option –rwo to display only warning as shown below:
rkhunter --check --rwo --sk
You should get the following output:
Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/which' has been replaced by a script: /usr/bin/which: POSIX shell script, ASCII text executable
Warning: The SSH and rkhunter configuration options should be the same:
SSH configuration option 'PermitRootLogin': yes
Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
You can also check the Rkhunter logs using the following command:
tail -f /var/log/rkhunter.log
Schedule Regular Scan with Cron
It is recommended to configure Rkhunter to scan your system regularly. You can configure it by editing the file /etc/default/rkhunter:
nano /etc/default/rkhunter
Change the following lines:
#Perform security check daily CRON_DAILY_RUN="true" #Enable weekly database updates. CRON_DB_UPDATE="true" #Enable automatic database updates APT_AUTOGEN="true"
Save and close the file when you are finished.
Conclusion
Congratulations! you have successfully installed and configured Rkhunter on Debian 10 server. You can now use Rkhunter regularly to protect your server from malware.
