How to Install and Configure Rootkit Hunter on Ubuntu/Debian

By Posted on

How to Install and Configure Rootkit Hunter on Ubuntu/Debian

How to Install and Configure Rootkit Hunter on Ubuntu/Debian

Rkhunter (Rootkit Hunter) is a tool that scans the system for rootkits, backdoors, and possible local exploits. It is a free and open-source security tool that runs on Linux and Unix-like systems. Rkhunter is a powerful tool that can help you detect and prevent potential security threats on your system. In this article, we will show you how to install and configure Rkhunter on Ubuntu/Debian.

Step 1: Update the System

Before installing Rkhunter, it is important to update the system to the latest version. To update the system, run the following commands:

$ sudo apt update
$ sudo apt upgrade

Step 2: Install Rkhunter

To install Rkhunter, run the following command:

$ sudo apt install rkhunter

This will install Rkhunter and its dependencies on your system.

Step 3: Configure Rkhunter

After installing Rkhunter, you need to configure it to scan your system for potential threats. To do this, you need to edit the Rkhunter configuration file.

$ sudo nano /etc/rkhunter.conf

This will open the Rkhunter configuration file in the Nano text editor.

Step 4: Set the Required Options

In the Rkhunter configuration file, you need to set the following options:

  • CRON_DAILY_RUN="true": This option enables daily scans.
  • MAIL_ON_WARNING="your_email@example.com": This option sets the email address to receive warning notifications.
  • UPDATE_MIRRORS=1: This option enables automatic mirror updates.
  • ALLOW_SSH_ROOT_USER=no: This allows to scan ssh root user login and set it to no
  • ALLOW_PAM_BAD_PASSWORDS=no: This allows to scan pam bad passwords and set it to no
  • WEB_SERVER=nginx: This option allows to scan web server like apache or nginx

After setting the required options, save and close the Rkhunter configuration file.

Step 5: Update Rkhunter Database

Before running the Rkhunter scan, you need to update its database of known rootkits and malware. To do this, run the following command:

$ sudo rkhunter --update

This will update the Rkhunter database on your system.

Step 6: Run Rkhunter Scan

To run the Rkhunter scan, run the following command:

$ sudo rkhunter --check

This will scan your system for potential rootkits and malware.

Step 7: Review the Rkhunter Report

After the Rkhunter scan is complete, you need to review the Rkhunter report to identify any potential threats. The Rkhunter report is located in the following file:

/var/log/rkhunter.log

Open the Rkhunter report using the following command:

$ sudo nano /var/log/rkhunter.log

This will open the Rkhunter report in the Nano text editor.

Review the Rkhunter report to identify any potential threats. If you find any potential threats, you need to investigate them further.

Step 8: Automate Rkhunter Scans

To make sure that your system is continuously scanned for potential security threats, you can automate Rkhunter scans using a cron job. To do this, follow the steps below:

  1. Open the crontab file using the following command:

    $ sudo crontab -e

  2. Add the following line to the crontab file:

    0 0 * * * /usr/bin/rkhunter --check --cronjob --report-warnings-only

    This will run Rkhunter daily at midnight and only report warnings. Adjust the timing (the first two numbers) as needed.

  3. Save and close the crontab file.

Now, Rkhunter will run daily scans on your system and send reports to the email address specified in the Rkhunter configuration file.

Conclusion

Rkhunter is an effective instrument for identifying and thwarting potential security risks on your system. In this article, we have shown you how to install and configure Rkhunter on Ubuntu/Debian. We have also shown you how to run Rkhunter scans and review the Rkhunter report. Finally, we have shown you how to automate Rkhunter scans using a cron job. By following these steps, you can keep your system secure and protected from potential security threats.

Alternative Solutions for Rootkit Detection

While Rkhunter is a valuable tool, it’s important to remember that no single security solution is foolproof. Relying solely on one method can leave your system vulnerable. Here are two alternative approaches to rootkit detection and system integrity monitoring on Ubuntu/Debian systems.

1. Using AIDE (Advanced Intrusion Detection Environment)

AIDE is a host-based intrusion detection system (HIDS) that creates a database of file attributes on your system at a known-good state. It then periodically compares the current state of your system against this baseline. Any discrepancies – changes in file size, modification time, permissions, or content (using cryptographic hashes) – are flagged as potential intrusions.

Why AIDE?

AIDE excels at detecting unauthorized modifications to critical system files, including those often targeted by rootkits. Unlike Rkhunter, which actively scans for known signatures, AIDE focuses on changes to your system’s baseline, making it effective against even previously unknown rootkits.

Installation and Configuration:

  1. Installation:

    sudo apt install aide

  2. Initial Database Creation: The first time you run AIDE, it will create the initial database. It’s crucial to ensure your system is clean before running this.

    sudo aide --init
sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

  3. Configuration (aide.conf): The configuration file, usually located at /etc/aide/aide.conf, defines which directories and files AIDE should monitor, and what attributes to check. You’ll need to carefully configure this file to balance thoroughness with performance. Here’s a snippet example configuration:

    database=file:/var/lib/aide/aide.db.gz
database_out=file:/var/lib/aide/aide.db.new.gz
verbose=5

/etc AIDE_DEFAULT
/usr AIDE_DEFAULT
/var/log AIDE_LOG

    In this example, /etc and /usr are monitored using AIDE_DEFAULT, which includes a comprehensive set of attributes (permissions, ownership, timestamps, hashes). /var/log is monitored using AIDE_LOG, which might exclude content hashes to reduce false positives due to legitimate log file changes.

  4. Running AIDE Checks:

    sudo aide --check

    This command compares the current system state against the database. Any changes will be reported. If legitimate changes are made (e.g., system updates), you’ll need to update the AIDE database:

    sudo aide --update
sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

  5. Automating AIDE: Use cron to schedule regular AIDE checks. A daily check is a common practice. Add a line similar to this to your crontab:

    0 2 * * * sudo aide --check

Important Considerations for AIDE:

  • Initial Clean State: The AIDE database must be created when the system is known to be clean. Otherwise, you’ll be basing your checks on a potentially compromised state.
  • Configuration Complexity: Configuring aide.conf requires careful consideration of which files and attributes to monitor. Overly broad monitoring can lead to excessive false positives.
  • Database Management: Properly updating the database after legitimate system changes is crucial to avoid unnecessary alerts.

2. Using Lynis

Lynis is another security auditing tool, but it operates differently from both Rkhunter and AIDE. Instead of focusing solely on rootkits or file integrity, Lynis performs a comprehensive security audit of your system. It checks for security vulnerabilities, configuration weaknesses, and compliance issues, offering suggestions for hardening your system. While not strictly a rootkit detector, Lynis can uncover security gaps that rootkits might exploit.

Why Lynis?

Lynis provides a broader security assessment than Rkhunter. By identifying potential vulnerabilities, it helps prevent rootkit infections in the first place. Its comprehensive nature makes it a valuable addition to a layered security approach.

Installation and Usage:

  1. Installation:

    sudo apt install lynis

  2. Running a System Audit:

    sudo lynis audit system

    Lynis will perform a thorough scan of your system, displaying its findings on the terminal. It will provide warnings, suggestions, and links to further information.

  3. Reviewing the Report: Lynis generates a detailed report (usually located in /var/log/lynis.log or similar). Carefully review this report to identify potential security weaknesses and implement the recommended hardening measures.

Example Lynis Output (snippet):

[+] Vulnerability scan

  - Test: PAM configuration
    Result: Found PAM configuration files.
    Suggestion: Review PAM configuration files for any weaknesses.

  - Test: Kernel hardening
    Result: Some kernel hardening measures are not enabled.
    Suggestion: Enable kernel hardening options to improve system security.

[+] Hardening suggestions

  - Suggestion: Consider using a firewall to restrict network access.
  - Suggestion: Implement strong password policies.

Important Considerations for Lynis:

  • Informational Output: Lynis generates a large amount of output. It’s important to understand the meaning of each finding and prioritize remediation efforts.
  • Focus on Prevention: Lynis is primarily a preventative tool. It identifies vulnerabilities that could be exploited, rather than directly detecting existing rootkits.
  • Regular Audits: Schedule regular Lynis audits (e.g., monthly) to stay informed about the security posture of your system.

By combining Rkhunter with AIDE or Lynis, you create a more robust and comprehensive security strategy for your Ubuntu/Debian systems. Remember that security is a continuous process, not a one-time fix. Regularly review your security tools, update your systems, and stay informed about emerging threats.

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *