Install Rkhunter (Rootkit Hunter) in RHEL, CentOS
Rkhunter is rootkit scanner for Linux systems.
This tool scans for rootkits, backdoors and local exploits by running tests like:
– MD5 hash compare
– Look for default files used by rootkits
– Wrong file permissions for binaries
– Look for suspected strings in LKM and KLD modules
– Look for hidden files
– Optional scan within plaintext and binary files
Installing Rkhunter
First download the latest version of Rkhunter from http://www.rootkit.nl/projects/rootkit_hunter.html or use wget to download from sourceforge.com.
wget http://ufpr.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz
Run the following commands as a root user:
tar xvfz rkhunter-1.4.2.tar.gz cd rkhunter-1.4.2 ./installer.sh --layout default --install
Update Rkhunter:
/usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --propupd
Setting Email Alerts and Cron
Create cron file /etc/cron.daily/rkhunter.sh
Create a file called rkhunter.sh under /etc/cron.daily/, which then scans file system every day and sends email notifications to your email.
Insert this shell script to the rkhunter.sh file we have just created.
#!/bin/sh ( /usr/local/bin/rkhunter --versioncheck /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --cronjob --report-warnings-only ) | /bin/mail -s 'rkhunter Daily Run (PutYourServerNameHere)' [email protected]
change: (PutYourServerNameHere) AND [email protected] to a valid server name / e-mail address
Set execute permission on the file
# chmod 755 /etc/cron.daily/rkhunter.sh
Manual Scan
To scan the entire file system, run the Rkhunter as a root user.
rkhunter --check
Rkhunter generates log file under /var/log/rkhunter.log with the checks results
rkhunter help
rkhunter --help
