Scanning for rootkits with rkhunter
Continuing with the defence in depth articles, this article concentrates on installing and configuring rkhunter.
Rkhunter works along the same lines as the article describing chkrootkit in that it scans an already established system for rootkits but rkhunter also scans for other types of exploits.
Neither rkhunter nor chkrootkit are necessarily better than the other and, in my opinion, should be run in conjunction with each other.
I won't go into the philosophy of VPS and server security again (please see the chkrootkit article for more details) but will simply stress that defence in depth is essential for any security conscious sysadmin.
I would also point out that rkhunter is not an active defence method. It does not prevent exploits being placed on your server, there are other means of prevention such as firewalls and other system monitoring, but it will inform you if there is something that is a threat to your server.
Let's get straight on and install rkhunter.
Log into your VPS and move to your sources directory:
cd ~/sourcesOnce there, download the latest version of rkhunter from the SourceForge download area:
wget http://ovh.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.2.9.tar.gzAt the time of writing, version 1.2.9 is the latest version available, please do check with the rkhunter home page to see if a newer version is available. You may also want to go to the SourceForge download page and select a mirror nearer to your server.
Being thorough VPS admins you will want to check the md5sum of the downloaded file before extracting it and installing it.
Let me tell you, I had a devil of a time finding a (reliable) md5sum for rkhunter. I find this odd and if anyone can point me to the 'official' md5sum for the downloads I would appreciate it.
I relied on the official Debian package list to confirm the md5sum. To find the md5 signature of the downloaded package:
md5sum rkhunter-1.2.9.tar.gzCompare this with the signature available on the Debian package list - ensure you look at the original download and not the diff patch that Debian applies.
Once happy, extract the source code:
tar xvfz rkhunter-1.2.9.tar.gzThen move into the newly created directory:
cd rkhunter-1.2.9/To install the code, simply issue the following command:
sudo ./installer.shAt the end of the install I got a message as follows:
PLEASE NOTE:
inspect for update changes in /usr/local/etc/rkhunter.conf.1183546172
and apply to rkhunter.conf before running Rootkit Hunter.Let's have a look at that file:
sudo nano /usr/local/etc/rkhunter.conf.1183546172Have a look through it and you can see the configurations available for rkhunter. However, do note that any changes will have to made to the /usr/local/etc/rkhunter.conf file and not this particular file.
Say what? Ok, here's a quick example. I ran rkhunter (and we'll go through how to update and run it shortly) and got this message:
Checking for allowed root login...
Watch out Root login possible. Possible risk!That's because in my SSH configuration file (located at /etc/ssh/sshd_config) I had allowed root logins with the SSH config line:
# Authentication:
...
PermitRootLogin yes
...let's imagine we do want to enable root logins via SSH (we all know we should disable this option) but don't want a warning every time we run rkhunter.
In comes the /usr/local/etc/rkhunter.conf we talked about earlier. Open it up and scan down until you reach this line:
#ALLOW_SSH_ROOT_USER=0To skip the warning, simply uncomment the line and add a '1' at the end:
ALLOW_SSH_ROOT_USER=1Now when we run rkhunter there is no pesky warning about allowing root logins.
I'm going to indulge myself here: please don't allow root logins. Thanks.
After that short interlude, let's get on and run it. The first thing you need to do is update the patterns rkhunter uses - this is not updating the programme itself but updating the list of rootkits,etc that it scans for:
sudo /usr/local/bin/rkhunter --updateNow it's updated, to run rkhunter interactively:
sudo /usr/local/bin/rkhunter -cThe '-c' option is a short cut for '--checkall' and will undertake all system checks. It's interactive as after each section it will pause and you will have to press 'Enter' to continue.
If you find this annoying and just want to get to the end of the report, add the '-sk' option, which stands for '--skip-keypress':
sudo /usr/local/bin/rkhunter -c -skAs you would imagine, there are several option available. To see a list, enter:
sudo /usr/local/bin/rkhunterLastly, we know that automation and email notification make an administrator's life a lot easier, so now we can add rkhunter to a cronjob.
This is straight from the rkhunter website: You need to create a short shell script as follows:
#!/bin/sh
( /usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /usr/bin/mail -s "rkhunter output" admin@yourdomain.comSave the file and call it something like 'rkhunterscript'. Make the file executable and place in your local bin folder or in a public bin folder. Now set a root cronjob as follows:
sudo crontab -ewith something like this:
10 3 * * * /home/paul/bin/rkhunterscript -c --cronjobThis will run the script at 3.10am each day. Why 3.10am? Well, I have my chkrootkit running at 3.00am, I'd like that to finish before starting this one. It is recommended, and not just by me, that you run both chkrootkit and rkhunter on your machines on a regular basis.
I've gone into quite a bit of detail here, but the basics of scanning your system with rkhunter along with chkrootkit are pretty simple and should be undertaken on a regular basis.
PickledOnion.
Digg it | 
del.icio.us | 
reddit | 
StumbleUpon
Subscribe to Feed