Rkhunter is the open-source security analyzing and monitoring tool that scans rootkits, local exploits, and backdoors in the Linux system. It does check for strings in kernel modules, wrong permission, hidden files, etc to enhance Linux security. It was written in Bourne Shell (sh) and compatible with almost all UNIX-derived systems.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related Linux Systems Security queries.
In this context, we shall look into how to install Rkhunter and scan the system for the backdoor, rootkits, and local exploits in Ubuntu 20.04 system.
From version 20.04 of Ubuntu, Rkhunter can be installed from its default repository. Execute the following apt command to install the Rkhunter package:
$ sudo apt install rkhunter -y
After executing the command you will see a Mail server configuration wizard dialog requesting to set up a mail server. Then, click on the ok button. In this dialog, you can see the mail server type info.
Next, you will be asked to choose the mail server as the type is defined in the initial dialog. For our setup, We selected 'Local only'. After making this selection, click on ok.
In a few minutes time, you will see the Postfix configuration dialog asking for the system mail name. If you have a mail address you can set the mail address according to description otherwise set it localhost or your server hostname. Then click on ok.
Now, verify the installation using the following command:
$ rkhunter --version
Once installation is complete we need to configure Rkhunter to be able to scan the system at the fullest. Then, open the following config file:
$ sudo vim /etc/rkhunter.conf
Now, find and update the following variable to the given value:
UPDATE_MIRRORS=1
By default, its value is set to 0 which defines don't update to mirror files. The rkhunter mirror files are also being checked for an update if we set the value 1 during the update check:
MIRRORS_MODE=0
The MIRRORS_MODE tells the Rkhunter which mirrors are to be used when the –update or –version option is used. It takes one of the 3 options:
0 – use any mirror
1 – use local mirrors only
2 – use the remote mirror only
WEB_CMD=""
The WEB_CMD determines the command that Rkhunter uses to download files from the Internet.
Once the above configuration is set, write and quit the config file.
During Rkhunter installation its script file is appended in the cron.d Daily directory for the daily scanning and updating as the script is executed by cron regularly. So, update the configuration of the following config file to auto scan and update regularly:
$ sudo vim /etc/default/rkhunter.conf
CRON_DAILY_RUN="true"
CRON_DB_UPDATE="true"
APT_AUTOGEN="true"
Once the configuration is all set you can check if the configuration is set up correctly using the following command:
$ sudo rkhunter -C
The Rkhunter uses text data files to detect suspicious activity. So, we need to update frequently. To check for update execute:
$ sudo rkhunter --update
Now, update the entire file properties databases using the following command:
$ sudo rkhunter --propupd
Once everything is set up you can perform a system check using rkhunter.
$ sudo rkhunter --check --sk
$ sudo rkhunter --check --rwo
In the above command –check option tell the command to scan the system, –sk option will skip option to press enter key for the continuation of the scanning, and –rwo only display warning message only
After scanning you can check the log in the following path to view the warning:
$ sudo cat /var/log/rkhunter.log
This article covers an easy procedure to install rkhunter, configure, scan the system and view log to identify actual backdoor, rootkits, and local exploits. In fact, Rkhunter (Rootkit Hunter) is an open-source Unix/Linux based scanner tool for Linux systems released under GPL that scans backdoors, rootkits, and local exploits on your systems. It scans hidden files, wrong permissions set on binaries, suspicious strings in the kernel, and so on.
To scan the entire Linux file system, run the Rkhunter command as a root user:
$ rkhunter --check