Installing Rootkit Hunter (rkhunter) on Almalinux

Categories

Installing Rootkit Hunter (rkhunter) on Almalinux

You are here:

This guide details how to install rkhunter on an AlmaLinux 8 server.

What is Rootkit Hunter

Computer hackers use a wide range of attacks or exploit vulnerabilities within systems and devices in order to gain access to a device and obtain control over the system and access to the data stored on it.

Active monitoring tools such as RootKit Hunter can help detect and mitigate these threats by scanning the machine for possible infections and configuration errors.

This guide will show you how to install RootKit hunter, schedule the system’s routine scan, and set up email alerts that may warrant further investigation.

Installation of Rootkit Hunter

To download the package with wget command, if your system hasn’t got wget installed by using dnf install wget will download the package.

wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz


After the download, we will now need to extract the file:

tar -xvf rkhunter-1.4.6.tar.gz
cd rkhunter-1.4.6 
./installer.sh --layout default --install 

Output of the package installing:

 

Updating the rkhunter Database

After installing the package we need to ensure we have the correct updates of the rootkit hunters database to ensure the effectiveness of scans.  We will look into automating the process later in this article however for now manual updates to the database can be ran by using the following commands:

/usr/local/bin/rkhunter --update 
/usr/local/bin/rkhunter --propupd

 

Running the First Scan

To run a manual scan of the system you can use the below command.  As the output shows, RootKit hunter is scanning for the known rootkits against the database.

rkhunter --check


 

Analysing the Results of the Scan

All results are written to the log file: /var/log/rkhunter.log  The results of the log file can be checked with the following command:

cat /var/log/rkhunter.log

 

Scheduling Daily Scans and Updates with Email Alerts

To run the rkhunter automatically at a scheduled time of day a cron job can be setup that will run the scan and email the output to do this:

1. Create a file called rkhunter.sh by opening with your favourite text editor:

vi /etc/cron.daily/rkhunter.sh

2. Paste the following lines of code into the file and replace the following with your details:

#!/bin/sh

(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Run (ServerNameHere)' mail@email.com

3. Set the execute permissions on the daily scan script

chmod 755 /etc/cron.daily/rkhunter.sh

The cron utility will run once daily, and if a threat is detected, the rkhunter command itself will email our user to alert them. If no problems are found, no email will be received.

 

Configuring Email Alert Notifications

E-mail notifications can be enabled by editing the MAIL-ON-WARNING value as below. You will then receive a message when rkhunter hits a warning. Please note that local mail has to be set up correctly in order for mail notifications to function.

The configuration file can be found at /etc/rkhunter. Open this with any file editor of your choosing.

 vi /etc/rkhunter.conf

Then update the file with your own email address:

MAIL-ON-WARNING="username@domainname.com"

A related configuration option specifies the program and options for sending the mail:

MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"

 

Whitelisting Custom Scripts

If you are using custom scripts within your systems. Rkhunter will probably scan these scripts and mark these as malware or rootkits. It is advised to stop this being alerted on every scan is to whitelist these scripts to stop from false positives coming through.

This is done through a setting in the configuration file:

SCRIPTWHITELIST=

 

Dealing with Root SSH Logins and Rootkit Hunter

If root logon is needed within this system, this will need to be enabled with the conf file, as rkhunter will alert you every time a scan is being performed. Therefore, by changing the configuration will stop rkhunter complaining about this configuration. Change the following fine for no to yes. If you want to enable root logon, if not leave as it is.

ALLOW_SSH_ROOT_USER=no

To enable root logon

ALLOW_SSH_ROOT_USER=yes

Note: It is advised to disable root logon for best security practices and create an user with the correct permissions to perform tasks. More details can be found on our guide on securing SSH here

Previous Installation Guide – cPanel/WHM on AlmaLinux
Table of Contents