Introduction
If you are using a Linux system and think that your system is 100% secure then you are wrong. Linux is still vulnerable to malware, one type of malware that you might get on Linux is a rookit.
A rootkit is a collection of malicious computer software, designed to enable access to a computer or area of its software that would not otherwise be allowed. At the same time, rookit masking its existence or the existence of other software.
Rootkit installation usually automated by leveraging a software vulnerability. An attacker can install a rootkit manually when they break-in into a system and gain root or administrator access.
Techtarget definition of rookit is :
a collection of tools (programs) that enable administrator-level access to a computer or computer network. Typically, a cracker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and, possibly, other machines on the network.
In this tutorial we’ll learn how-to install and configurerkhunteron Ubuntu 14.04 Trusty Tahr so that we can scan our system for potential rootkits.
Install rkhunter
We will install rkhunter from the ubuntu repository instead of using rkhunter archive file from rkhunter website. We will update apt metadata and then install rkhunter, we can use commands below:
$ sudo apt-get update
$ sudo apt-get -y --no-install-recommends install rkhunter
We use -no-install-recommends options of apt so rkhunter installed in minimalist way. One of the recommended packages for rkhunter is postfix as a mail server. We assume that we already configured the server to relay mail sending to another mail server.
Updating rkhunter Data Files
After installing rkhunter we need to update the database of rkhunter by running the command below :
$ sudo rkhunter --update
[ Rootkit Hunter version 1.4.0 ]
Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ Updated ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ Updated ]
Checking file i18n/en [ Updated ]
Checking file i18n/tr [ Updated ]
Checking file i18n/tr.utf8 [ Updated ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
Rootkit Scanning Using rkhunter
After updating rkhunter data file we will run rkhunter for the first time by running command below :
$ sudo rkhunter -c
rkhunter will run using default configuration, the output for the command above is quite long, you will need to press enter several times to continue the scanning process.
Configure Email For Warnings
We can configure rkhunter to send email to us only when there is warning on scanning. By sending email only when there is a warning we’ll make sure that we will take attention to the email compared to getting email for every scan.
To configure email on warning, let’s open
/etc/rkhunter.conf
MAIL-ON-WARNING=""
Put your email address between double quotes, e.g:
MAIL-ON-WARNING="youremail@yourdomain.com"
We can add multiple email address separated by comma or you can also put a group address, so multiple people will get the email. Using email groups will make sure more than one person sees the email and at least one of the team members will take action for the warning.
After changing configuration, we can check rkhunter configuration using command below:
$ sudo rkhunter -C
Command cannot be found: MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
If you get no output then your configuration is OK, but if you get output similar to above it means that there is error on your configuration file. The error message above said command could not be found, the command that cannot be found here is mail. We will install msmtp and create symlink to msmtp binary as mail.
To install msmtp we can run command below:
$ sudo apt-get install msmtp
We then create symlink for mail program to msmtp using command below :
$ sudo ln -sf /usr/bin/msmtp /usr/sbin/mail
You can take a look at this additional tutorial on Hostpresto! entitled How to Send Email from the Command Line with MSMTP and Mutt to learn how-to configure msmtp to send email properly.
If the configuration is correct we should not get any output when running $ sudo rkhunter -C
Summary
In this tutorial we explained how-to install rkhunter to scan for rootkits on our server. We also explained how to scan and configure email for warnings. Using rkhunter we add an additional security measure to protect our server. We hope you find this tutorial useful, thank you.
Share this Article!
