rkhunter (Rootkit Hunter) is is an open-source Unix/Linux based security monitoring and analyzing tool. It is a shell script which carries out various checks on the local system to try and detect known rootkits and malware.
rkhunter is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD. rkhunter is notable due to its inclusion in popular OS (Fedora, Debian, etc.)
This article will help you with the installation and config. rkhunter.
Just follow the steps below:
- Download Rkhunter with running commands below:
cd /mnt wget https://netix.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz
[root@unixcop mnt]# wget https://netix.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz --2021-10-03 10:36:20-- https://netix.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz Resolving netix.dl.sourceforge.net (netix.dl.sourceforge.net)... 22.214.171.124 Connecting to netix.dl.sourceforge.net (netix.dl.sourceforge.net)|126.96.36.199|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 302137 (295K) [application/x-gzip] Saving to: 'rkhunter-1.4.6.tar.gz' rkhunter-1.4.6.tar.gz 100%[=======================================================================>] 295.06K 90.0KB/s in 3.3s 2021-10-03 10:36:24 (90.0 KB/s) - 'rkhunter-1.4.6.tar.gz' saved [302137/302137] [root@unixcop mnt]#
For the latest version Click the button below
- Extract RkHunter tarball and run the installation script as shown:
tar -xvf rkhunter-1.4.6.tar.gz cd rkhunter-1.4.6
[root@unixcop rkhunter-1.4.6]# ./installer.sh --install Checking system for: Rootkit Hunter installer files: found A web file download command: wget found Starting installation: Checking installation directory "/usr/local": it exists and is writable. Checking installation directories: Directory /usr/local/share/doc/rkhunter-1.4.6: creating: OK Directory /usr/local/share/man/man8: exists and is writable. Directory /etc: exists and is writable. Directory /usr/local/bin: exists and is writable. Directory /usr/local/lib64: exists and is writable. Directory /var/lib: exists and is writable. Directory /usr/local/lib64/rkhunter/scripts: creating: OK Directory /var/lib/rkhunter/db: creating: OK Directory /var/lib/rkhunter/tmp: creating: OK Directory /var/lib/rkhunter/db/i18n: creating: OK Directory /var/lib/rkhunter/db/signatures: creating: OK Installing check_modules.pl: OK Installing filehashsha.pl: OK Installing stat.pl: OK Installing readlink.sh: OK Installing backdoorports.dat: OK Installing mirrors.dat: OK Installing programs_bad.dat: OK Installing suspscan.dat: OK Installing rkhunter.8: OK Installing ACKNOWLEDGMENTS: OK Installing CHANGELOG: OK Installing FAQ: OK Installing LICENSE: OK Installing README: OK Installing language support files: OK Installing ClamAV signatures: OK Installing rkhunter: OK Installing rkhunter.conf: OK Installation complete [root@unixcop rkhunter-1.4.6]#
- The installer with help option can be displayed with command:
- After installation, the configuration file rkhunter.conf will be added into /etc .
- This file that called rkhunter.conf.local must reside in the same directory as the main configuration file.
- To update the rkhunter, run this command below:
- Fill the file properties database as shown below:
[root@unixcop rkhunter-1.4.6]# rkhunter --propupd [ Rootkit Hunter version 1.4.6 ] File created: searched for 176 files, found 132, missing hashes 1 [root@unixcop rkhunter-1.4.6]#
- Scan the file system
This command generates a log file under /var/log/rkhunter.log
- To check these logs , run:
- Check only warnings using grep command:
grep Warning /var/log/rkhunter.log
- Check man page for RkHunter.
Here we go, we’ve seen how to install Rootkit Hunter rkhunter in Linux and also explained some rkhunter config settings.
That’s all, Thank you !!