Introduction
rkhunter (Rootkit Hunter) is is an open-source Unix/Linux based security monitoring and analyzing tool. It is a shell script which carries out various checks on the local system to try and detect known rootkits and malware.
rkhunter is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD. rkhunter is notable due to its inclusion in popular OS (Fedora, Debian, etc.)
The tool has been written in Bourne shell, to allow for portability. It can run on almost all UNIX-derived systems.
This article will help you with the installation and config. rkhunter.
Just follow the steps below:
Download Rkhunter
- Download Rkhunter with running commands below:
cd /mnt
wget https://netix.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz
[root@unixcop mnt]# wget https://netix.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz
--2021-10-03 10:36:20-- https://netix.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz
Resolving netix.dl.sourceforge.net (netix.dl.sourceforge.net)... 87.121.121.2
Connecting to netix.dl.sourceforge.net (netix.dl.sourceforge.net)|87.121.121.2|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 302137 (295K) [application/x-gzip]
Saving to: 'rkhunter-1.4.6.tar.gz'
rkhunter-1.4.6.tar.gz 100%[=======================================================================>] 295.06K 90.0KB/s in 3.3s
2021-10-03 10:36:24 (90.0 KB/s) - 'rkhunter-1.4.6.tar.gz' saved [302137/302137]
[root@unixcop mnt]#
For the latest version Click the button below
Install Rkhunter
- Extract RkHunter tarball and run the installation script as shown:
tar -xvf rkhunter-1.4.6.tar.gz
cd rkhunter-1.4.6
./installer.sh --install
[root@unixcop rkhunter-1.4.6]# ./installer.sh --install
Checking system for:
Rootkit Hunter installer files: found
A web file download command: wget found
Starting installation:
Checking installation directory "/usr/local": it exists and is writable.
Checking installation directories:
Directory /usr/local/share/doc/rkhunter-1.4.6: creating: OK
Directory /usr/local/share/man/man8: exists and is writable.
Directory /etc: exists and is writable.
Directory /usr/local/bin: exists and is writable.
Directory /usr/local/lib64: exists and is writable.
Directory /var/lib: exists and is writable.
Directory /usr/local/lib64/rkhunter/scripts: creating: OK
Directory /var/lib/rkhunter/db: creating: OK
Directory /var/lib/rkhunter/tmp: creating: OK
Directory /var/lib/rkhunter/db/i18n: creating: OK
Directory /var/lib/rkhunter/db/signatures: creating: OK
Installing check_modules.pl: OK
Installing filehashsha.pl: OK
Installing stat.pl: OK
Installing readlink.sh: OK
Installing backdoorports.dat: OK
Installing mirrors.dat: OK
Installing programs_bad.dat: OK
Installing suspscan.dat: OK
Installing rkhunter.8: OK
Installing ACKNOWLEDGMENTS: OK
Installing CHANGELOG: OK
Installing FAQ: OK
Installing LICENSE: OK
Installing README: OK
Installing language support files: OK
Installing ClamAV signatures: OK
Installing rkhunter: OK
Installing rkhunter.conf: OK
Installation complete
[root@unixcop rkhunter-1.4.6]#
- The installer with help option can be displayed with command:
./installer.sh --help
Notes:
- After installation, the configuration file rkhunter.conf will be added into /etc .
- This file that called rkhunter.conf.local must reside in the same directory as the main configuration file.
Update Rkhunter
- To update the rkhunter, run this command below:
rkhunter --update
- Fill the file properties database as shown below:
rkhunter --propupd
[root@unixcop rkhunter-1.4.6]# rkhunter --propupd
[ Rootkit Hunter version 1.4.6 ]
File created: searched for 176 files, found 132, missing hashes 1
[root@unixcop rkhunter-1.4.6]#
Run Rkhunter
- Scan the file system
rkhunter -c
Note:
This command generates a log file under /var/log/rkhunter.log
- To check these logs , run:
cat /var/log/rkhunter.log
- Check only warnings using grep command:
grep Warning /var/log/rkhunter.log
- Check man page for RkHunter.
man rkhunter
Conclusion
Here we go, we’ve seen how to install Rootkit Hunter rkhunter in Linux and also explained some rkhunter config settings.
That’s all, Thank you !!