Difference between revisions of "Rkhunter"

From Christoph's Personal Wiki
Jump to: navigation, search
(New page: '''<tt>rkhunter</tt>''' (aka '''Rootkit Hunter''') is a rootkit, backdoor, sniffer, and exploit scanner. It scans systems for known and unknown rootkits, backdoors, sniffers and exploits. ...)
 
(Installation and usage)
Line 12: Line 12:
  
 
==Installation and usage==
 
==Installation and usage==
On [[CentOS]] systems, `rkhunter` can be installed from the EPEL repositories. If you do not have EPEL installed, you can get it setup by (for CentOS 6.x):
+
On [[CentOS]] systems, <code>rkhunter</code> can be installed from the EPEL repositories. If you do not have EPEL installed, you can get it setup by (for CentOS 6.x):
 
  $ rpm -ivh <nowiki>http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm</nowiki>
 
  $ rpm -ivh <nowiki>http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm</nowiki>
  
* Install `rkhunter`:
+
* Install <code>rkhunter</code>:
 
  $ yum install rkhunter
 
  $ yum install rkhunter
  
* Configure `rkhunter` to send email if a "warning" is found during a given scan:
+
* Configure <code>rkhunter</code> to send email if a "warning" is found during a given scan:
 
  $ vi /etc/rkhunter.conf
 
  $ vi /etc/rkhunter.conf
 
  # Change
 
  # Change
Line 30: Line 30:
 
  $ rkhunter -sk -c
 
  $ rkhunter -sk -c
  
You can also configure `rkhunter` to run automatically (via a cronjob) daily. On CentOS systems, there should already be a script for this:
+
You can also configure <code>rkhunter</code> to run automatically (via a cronjob) daily. On CentOS systems, there should already be a script for this:
 
  $ cat /etc/cron.daily/rkhunter
 
  $ cat /etc/cron.daily/rkhunter
  
Now, all you need to do is update the `rkhunter` configuration with your actual email address so you can receive the nightly reports:
+
Now, all you need to do is update the <code>rkhunter</code> configuration with your actual email address so you can receive the nightly reports:
 
  $ vi /etc/sysconfig/rkhunter
 
  $ vi /etc/sysconfig/rkhunter
 
  # Change
 
  # Change
Line 39: Line 39:
 
  # To
 
  # To
 
  MAILTO=bob@example.com
 
  MAILTO=bob@example.com
 +
 +
* Check for latest version:
 +
<pre>
 +
$ sudo rkhunter --versioncheck
 +
 +
[ Rootkit Hunter version 1.4.6 ]
 +
 +
Checking rkhunter version...
 +
  This version  : 1.4.6
 +
  Latest version: 1.4.6
 +
</pre>
  
 
==External links==
 
==External links==

Revision as of 21:32, 10 September 2021

rkhunter (aka Rootkit Hunter) is a rootkit, backdoor, sniffer, and exploit scanner. It scans systems for known and unknown rootkits, backdoors, sniffers and exploits.

It checks for:

  • MD5 hash changes;
  • files commonly created by rootkits;
  • executables with anomalous file permissions;
  • suspicious strings in kernel modules;
  • hidden files in system directories; and
  • can optionally scan within files.

NOTE: Using `rkhunter` alone does not guarantee that a system is not compromised. Running additional tests, such as chkrootkit, is recommended.

Installation and usage

On CentOS systems, rkhunter can be installed from the EPEL repositories. If you do not have EPEL installed, you can get it setup by (for CentOS 6.x):

$ rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
  • Install rkhunter:
$ yum install rkhunter
  • Configure rkhunter to send email if a "warning" is found during a given scan:
$ vi /etc/rkhunter.conf
# Change
MAIL-ON-WARNING=""
# To
MAIL-ON-WARNING="bob@example.com"
  • Finally, fetch the latest updates, create a baseline, and run an on-demand scan:
$ rkhunter --update
$ rkhunter --propupd
$ rkhunter -sk -c

You can also configure rkhunter to run automatically (via a cronjob) daily. On CentOS systems, there should already be a script for this:

$ cat /etc/cron.daily/rkhunter

Now, all you need to do is update the rkhunter configuration with your actual email address so you can receive the nightly reports:

$ vi /etc/sysconfig/rkhunter
# Change
MAILTO=root@localhost
# To
MAILTO=bob@example.com
  • Check for latest version:
$ sudo rkhunter --versioncheck

[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter version...
  This version  : 1.4.6
  Latest version: 1.4.6

External links