How to Install RKHunter (RootKit Hunter) On Ubuntu 18.04
RootKit Hunter is a Unix-based shell script that can scan the local system for rootkits, backdoors and possible intrusion.It can also monitor the local system commands, startup files, network interfaces for any changes as well as listening applications.
1. Installing RKHunter:-
The rkhunter packages is available in standard Ubuntu repositories hence we can install it by running the command below:-
# apt install rkhunter –y
2.Configure and use RKHunter:-
Open the configuration file, /etc/rkhunter.conf and make the changes as shown below.
# vim /etc/rkhunter.conf
UPDATE_MIRRORS=1
Set the value of MIRRORS_MODE to 0. The MIRRORS_MODE option tells rkhunter which mirrors are to be used when the –update or --versioncheck command-line options are given. There are three possible values for this;
- 0 – use any mirror
- 1 – only use local mirrors
- 2 – only use remote mirrors
MIRRORS_MODE=0
Set the value of WEB_CMD to null, “”. This option can be set to a command which rkhunter will use when downloading files from the Internet
WEB_CMD=""
3. Enable regular scan and updates with cron:-
Edit the /etc/default/rkhunter.conf and make the following changes.
Enable rkhunter scan checks to run daily by setting the value of CRON_DAILY_RUN to “true”.
CRON_DAILY_RUN="true"
Set the value of CRON_DB_UPDATE to true to enable rkhunter weekly database updates.
CRON_DB_UPDATE="true"
Set the value of to APT_AUTOGEN to true to enable automatic database updates.
APT_AUTOGEN="true"
Once you are done, save the configuration file and quit.
Run the command below to check for any unrecognised configuration options.
# rkhunter –C
You can also use --config-check option instead of -C.
4.Update rkhunter text data files:-
After configuring rkhunter, run the command below to update rkhunter text data files.
# rkhunter --update
You can also the version of the rkhunter by running the command below;
# rkhunter --versioncheck
[ Rootkit Hunter version 1.4.6 ]
Checking rkhunter version...
This version : 1.4.6
Latest version: 1.4.6
5.Set the Security Baseline for your System:-
To update rkhunter data file of stored values with the current values, run the rkhunter with --propupd option.
# rkhunter --propupd
[ Rootkit Hunter version 1.4.6 ]
File updated: searched for 180 files, found 147
6. Perform System Check:-
# rkhunter –check
To avoid having to press ENTER for every check, you can pass the --sk or --skip-keypress option.
# rkhunter --check --sk
To display warning messages only, use the --rwo or --report-warnings-only option.
# rkhunter --check --rwo
RKHunter log file is:
/var/log/rkhunter.log
7.Email Notification:-
You may also want to send the results via Email in case a threat is found on your system. To do this, you need to edit rkhunter configuration file and set a value of MAIL-ON-WARNING to your email address.
# vim /etc/rkhunter.conf
MAIL-ON-WARNING=username@domain
Replace username@domain with your email address
You also set the email command to use.
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
Once done, save the configuration file and check for any misconfigurations as shown above.
You can now be able to receive emails in case any threat is found on your system. See the example mail below.
8. Daily Reports using a Cronjob :-
# vi /etc/cron.daily/rkhunter.sh
#!/bin/sh
(/usr/bin/rkhunter --versioncheck
/usr/bin/rkhunter --update
/usr/bin/rkhunter --cronjob --report-warnings-only
) | mail -s 'rkhunter Daily Run(hostname)' maid_id
Once done save and exit .
Set execute permission on the file.
# chmod 755 /etc/cron.daily/rkhunter.sh
Assign cronjob in crontab.
* * * * * /etc/cron.daily/rkhunter.sh
Once done save and exit .