Difference between revisions of "Rkhunter"
From Christoph's Personal Wiki
(New page: '''<tt>rkhunter</tt>''' (aka '''Rootkit Hunter''') is a rootkit, backdoor, sniffer, and exploit scanner. It scans systems for known and unknown rootkits, backdoors, sniffers and exploits. ...) |
(→Installation and usage) |
||
Line 12: | Line 12: | ||
==Installation and usage== | ==Installation and usage== | ||
− | On [[CentOS]] systems, | + | On [[CentOS]] systems, <code>rkhunter</code> can be installed from the EPEL repositories. If you do not have EPEL installed, you can get it setup by (for CentOS 6.x): |
$ rpm -ivh <nowiki>http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm</nowiki> | $ rpm -ivh <nowiki>http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm</nowiki> | ||
− | * Install | + | * Install <code>rkhunter</code>: |
$ yum install rkhunter | $ yum install rkhunter | ||
− | * Configure | + | * Configure <code>rkhunter</code> to send email if a "warning" is found during a given scan: |
$ vi /etc/rkhunter.conf | $ vi /etc/rkhunter.conf | ||
# Change | # Change | ||
Line 30: | Line 30: | ||
$ rkhunter -sk -c | $ rkhunter -sk -c | ||
− | You can also configure | + | You can also configure <code>rkhunter</code> to run automatically (via a cronjob) daily. On CentOS systems, there should already be a script for this: |
$ cat /etc/cron.daily/rkhunter | $ cat /etc/cron.daily/rkhunter | ||
− | Now, all you need to do is update the | + | Now, all you need to do is update the <code>rkhunter</code> configuration with your actual email address so you can receive the nightly reports: |
$ vi /etc/sysconfig/rkhunter | $ vi /etc/sysconfig/rkhunter | ||
# Change | # Change | ||
Line 39: | Line 39: | ||
# To | # To | ||
MAILTO=bob@example.com | MAILTO=bob@example.com | ||
+ | |||
+ | * Check for latest version: | ||
+ | <pre> | ||
+ | $ sudo rkhunter --versioncheck | ||
+ | |||
+ | [ Rootkit Hunter version 1.4.6 ] | ||
+ | |||
+ | Checking rkhunter version... | ||
+ | This version : 1.4.6 | ||
+ | Latest version: 1.4.6 | ||
+ | </pre> | ||
==External links== | ==External links== |
Revision as of 21:32, 10 September 2021
rkhunter (aka Rootkit Hunter) is a rootkit, backdoor, sniffer, and exploit scanner. It scans systems for known and unknown rootkits, backdoors, sniffers and exploits.
It checks for:
- MD5 hash changes;
- files commonly created by rootkits;
- executables with anomalous file permissions;
- suspicious strings in kernel modules;
- hidden files in system directories; and
- can optionally scan within files.
NOTE: Using `rkhunter` alone does not guarantee that a system is not compromised. Running additional tests, such as chkrootkit, is recommended.
Installation and usage
On CentOS systems, rkhunter
can be installed from the EPEL repositories. If you do not have EPEL installed, you can get it setup by (for CentOS 6.x):
$ rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
- Install
rkhunter
:
$ yum install rkhunter
- Configure
rkhunter
to send email if a "warning" is found during a given scan:
$ vi /etc/rkhunter.conf # Change MAIL-ON-WARNING="" # To MAIL-ON-WARNING="bob@example.com"
- Finally, fetch the latest updates, create a baseline, and run an on-demand scan:
$ rkhunter --update $ rkhunter --propupd $ rkhunter -sk -c
You can also configure rkhunter
to run automatically (via a cronjob) daily. On CentOS systems, there should already be a script for this:
$ cat /etc/cron.daily/rkhunter
Now, all you need to do is update the rkhunter
configuration with your actual email address so you can receive the nightly reports:
$ vi /etc/sysconfig/rkhunter # Change MAILTO=root@localhost # To MAILTO=bob@example.com
- Check for latest version:
$ sudo rkhunter --versioncheck [ Rootkit Hunter version 1.4.6 ] Checking rkhunter version... This version : 1.4.6 Latest version: 1.4.6