Sign in Subscribe
CentOS

Install Rkhunter (Rootkit Hunter) in RHEL, CentOS

ARSTECH

ARSTECH

1 min read

Install Rkhunter (Rootkit Hunter) in RHEL, CentOS

rkhunter

Rkhunter is rootkit scanner for Linux systems.
This tool scans for rootkits, backdoors and local exploits by running tests like:

– MD5 hash compare
– Look for default files used by rootkits
– Wrong file permissions for binaries
– Look for suspected strings in LKM and KLD modules
– Look for hidden files
– Optional scan within plaintext and binary files

Installing Rkhunter

First download the latest version of Rkhunter from http://www.rootkit.nl/projects/rootkit_hunter.html or use wget to download from sourceforge.com.

wget http://ufpr.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz

Run the following commands as a root user:

tar xvfz rkhunter-1.4.2.tar.gz
cd rkhunter-1.4.2
./installer.sh --layout default --install

 

Update Rkhunter:
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --propupd

 

Setting Email Alerts and Cron

Create cron file /etc/cron.daily/rkhunter.sh

Create a file called rkhunter.sh under /etc/cron.daily/, which then scans file system every day and sends email notifications to your email.
Insert this shell script to the rkhunter.sh  file we have just created.

#!/bin/sh
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Run (PutYourServerNameHere)' [email protected]

change: (PutYourServerNameHere) AND [email protected] to a valid server name / e-mail address

Set execute permission on the file
# chmod 755 /etc/cron.daily/rkhunter.sh

 

Manual Scan

To scan the entire file system, run the Rkhunter as a root user.

rkhunter --check

 

Rkhunter generates log file under /var/log/rkhunter.log with the checks results

rkhunter help
rkhunter --help

 

Read more