RKHunter
[Rootkit Hunter]
====================
RootKit
is a feature rich scanning tool that scans for rootkits, backdoors,
and local exploits. It
scans hidden files, wrong permissions set on binaries, suspicious
strings in kernel etc.
As
rootkits are installed into system files they cannot be removed
easily however, RKHunter will still
notify you of any rootkits that may exist in your system so that you
can take the necessary steps
to reload on server.
Rootkit
Hunter is not a reactive tool: it only enumerates encountered
threats.
It
is up to you to read the log file and investigate suspicious
activity.
To
know more about Rkhunter and its features visit
http://www.rootkit.nl/.
==================================
==============
Installing
Rkhunter (Rootkit Hunter) in RHEL, CentOS and Fedora
==================================
==============
Step
1: Downloading Rkhunter:
[root@server
~]# mkdir /download
[root@server
~]# cd /download
[root@server
download]# wget
http://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz
Step
2: Installing Rkhunter:
Once
you have downloaded the latest version, run the following commands as
a root user to install it.
[root@server
download]# tar -xvzf rkhunter-1.4.0.tar.gz
[root@server
download]# cd rkhunter-1.4.0
[root@server
rkhunter-1.4.0]# ./installer.sh --install
[root@server
rkhunter-1.4.0]# cd
Step
3: Updating Rkhunter:
Run
the RKH updater to fill the database properties by running the
following command.
[root@server
~]# /usr/local/bin/rkhunter --update
[root@server
~]# /usr/local/bin/rkhunter --propupd
Step
4: Setting Cronjob and Email Alerts:
Create
one file "rkhunter.sh under /etc/cron.daily/, which then scans
your file system every day and sends email notifications to your
email id.
[root@server
~]# vi /etc/cron.daily/rkhunter.sh
#Add
the following lines of code to it and replace your “Server Name”
and your “Email Id“.
#!/bin/sh
(
/usr/local/bin/rkhunter
--versioncheck
/usr/local/bin/rkhunter
--update
/usr/local/bin/rkhunter
--cronjob --report-warnings-only
) |
/bin/mail -s 'rkhunter Daily Run (server.anup.co.in)'
mail@anup.co.in
Set
execute permission on the file.
[root@server
~]# chmod +x /etc/cron.daily/rkhunter.sh
Step
5: Manual Scan and Usage:
To
scan the entire file system, run the Rkhunter as a root user.
[root@server
~]# rkhunter --check
The
above command generates log file under /var/log/rkhunter.log with the
checks results made by Rkhunter.
For
more information and options please run the following command.
[root@server
~]# rkhunter --help