rkhunter (Rootkit Hunter) is a security tool that scans for the presence of rootkits, backdoors and other unwanted tools. Also, it allows additional security scans like: check for wrong file permissions for binaries, MD5 hash compare, look for hidden files and others.
This post provides instructions how to setup and configure rkhunder to run I automatically every day on servers running Linux or Unix.
To install rkhunter, download the latest version from project page. Once the archive is downloaded: extract it and launch the installation script:
tar xvf rkhunter-*.tar.gz cd rkhunter-* ./installer.sh --layout default --install
After that rebuild rkhunter file properties database:
rkhunter --propupd less /var/log/rkhunter.log
The configuration of this security tool could be done by editing the file /etc/rkhunter.conf. On this file the below parameters should be altered to remind sysadmin about security:
MAIL-ON-WARNING="" ALLOW_SSH_ROOT_USER=without-password ALLOW_SSH_PROT_V1=0
E-mail a message to this address if a warning is found.
ALLOW_SSH_ROOT_USER and ALLOW_SSH_PROT_V1
Check if SSH daemon configuration is secured by checking the options PermitRootLogin and Protocol. This security measures are applied in article Secure existing OpenSSH installation
To setup daily reporting with rkhunter, issue the command:
cat << EOF >/etc/cron.daily/01-rkhunter #!/bin/sh ( /usr/local/bin/rkhunter --cronjob --update --versioncheck --rwo && echo "" ) | /bin/mail -s "Rkhunter daily run on ip.address" root exit 0 EOF
The above code will create a shell script named 01-rkhunter in /etc/cron.daily directory. This script will be executed daily by cron.
Finally, the correct permission should be set:
chmod 700 /etc/cron.daily/01-rkhunter