I’ve taken on a couple of new servers, so I figured I would share this little tidbit of information. RKHunter stands for root kit hunter, which will scan your system for nasty root kits. A quote from the site:
Rootkit scanner is scanning tool to ensure you for about 99.9%* you’re clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like:
– MD5 hash compare
– Look for default files used by rootkits
– Wrong file permissions for binaries
– Look for suspected strings in LKM and KLD modules
– Look for hidden files
– Optional scan within plaintext and binary files
Rootkit Hunter is released as GPL licensed project and free for everyone to use.
* No, not really 99.9%.. It’s just another security layer
To install this goody, we log into our server, then make sure you are the root user. The latest version as if this post is 1.3.4. If you like to keep things organized, and you should, I always download things into a specific directory. I went all out on the naming this directory, so that no one can figure out what’s in it! :) I called it ‘downloads’, and, I have it right under my root users main folder. So, I start off by changing to the ‘downloads’ folder.
root@server [~]# cd downloads
Next, I use wget to grab the rkhunter program:
root@server [~/downloads]# wget http://garr.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.4.tar.gz
Now to extract it, and then move into the new directory:
root@server [~/downloads]# tar -zxvf rkhunter-1.3.4.tar.gz
root@server [~/downloads]# cd rkhunter-1.3.4
Next, we run the installer script. The default layouts are good enough to use:
root@server[~/downloads/rkhunter-1.3.4]# ./installer.sh –layout default –install
This will install the program into ‘/usr/local/bin/rkhunter’‘.
Now, you can run a scan from the command line by typing:
root@server [~]# rkhunter -c
Logs for the program get saved to ‘/var/log/rkhunter.log’. A nice thing to do though, it to set up a cron job to run the tool once a day, and then email you the results. To do this, complete the following:
root@server [~]# vi /etc/cron.daily/rkhunter.sh
Now, paste the following code into the newly created file, make sure to change the email address at the end though:
(/usr/local/bin/rkhunter -c –cronjob 2>&1 | mail -s “Your Daily RKHunter Scan Report” firstname.lastname@example.org)
Save your file ( :wq ), and your set. Now, we enable the file to be able to run:
root@server [~]# chmod +x /etc/cron.daily/rkhunter.sh
You have now setup a daily cron, that will email you the results of your RKHunter scan.