Install Rkhunter (Rootkit Hunter) in RHEL, CentOS

Install Rkhunter (Rootkit Hunter) in RHEL, CentOS

rkhunter

Rkhunter is rootkit scanner for Linux systems.
This tool scans for rootkits, backdoors and local exploits by running tests like:

– MD5 hash compare
– Look for default files used by rootkits
– Wrong file permissions for binaries
– Look for suspected strings in LKM and KLD modules
– Look for hidden files
– Optional scan within plaintext and binary files

Installing Rkhunter

First download the latest version of Rkhunter from http://www.rootkit.nl/projects/rootkit_hunter.html or use wget to download from sourceforge.com.

wget http://ufpr.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz

Run the following commands as a root user:

tar xvfz rkhunter-1.4.2.tar.gz
cd rkhunter-1.4.2
./installer.sh --layout default --install

 

Update Rkhunter:
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --propupd

 

Setting Email Alerts and Cron

Create cron file /etc/cron.daily/rkhunter.sh

Create a file called rkhunter.sh under /etc/cron.daily/, which then scans file system every day and sends email notifications to your email.
Insert this shell script to the rkhunter.sh  file we have just created.

#!/bin/sh
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Run (PutYourServerNameHere)' [email protected]

change: (PutYourServerNameHere) AND [email protected] to a valid server name / e-mail address

Set execute permission on the file
# chmod 755 /etc/cron.daily/rkhunter.sh

 

Manual Scan

To scan the entire file system, run the Rkhunter as a root user.

rkhunter --check

 

Rkhunter generates log file under /var/log/rkhunter.log with the checks results

rkhunter help
rkhunter --help

 

arstech

Leave a Reply

Your email address will not be published. Required fields are marked *