Install and Use chkrootkit on Debian 12 | Easy Security Scanner Tool

By Posted on

Install and Use chkrootkit on Debian 12 | Easy Security Scanner Tool

Install and Use chkrootkit on Debian 12 | Easy Security Scanner Tool

This tutorial intends to teach you to Install and Use chkrootkit on Debian 12. chkrootkit is a top 10 Linux security scanner tool that is free and open-source. It is used to detect rootkit infections. A rootkit is a malicious application that may get access to a computer system without the user’s knowledge.

You can follow this guide on the Orcacore website to start your chkrootkit installation and use it from the Debian Linux command line interface.

How To Install and Use chkrootkit on Debian 12 Bookworm?

To Install and Use chkrootkit on Debian 12 Bookworm, you must have access to your server as a root user. Also, you can visit this guide on Initial Server Setup with Debian 12 Bookworm.

Step 1 – Install chkrootkit on Debian 12

First, you must run the system update by using the following command:

apt update

The chkrootkit packages are available in the default Debian 12 repository. To Install and Use chkrootkit on Debian 12 Bookworm, you can run the command below:

apt install chkrootkit -y

Then, verify your chkrootkit installation by checking its version:

chkrootkit -V
**Output**
chkrootkit version 0.57

Step 2 – How To Use chkrootkit Security Scanner Tool?

At this point, you will learn the basic usage of chkrootkit on Debian 12 Bookworm.

You can list all available tests by using the following command:

chkrootkit -l

In your output you will see:

**Output**
/usr/sbin/chkrootkit: tests: aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp OSX_RSPLUG amd basename biff chfn chsh cron crontab date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write

Now you can scan your server with the command below:

chkrootkit
**Output**
ROOTDIR is `/'
Checking `amd'...                                           not found
Checking `basename'...                                      not infected
Checking `biff'...                                          not found
Checking `chfn'...                                          not infected
Checking `chsh'...                                          not infected
Checking `cron'...                                          not infected
Checking `crontab'...                                       not infected
Checking `date'...                                          not infected
...

Also, you can use the chkrootkit command with the -q option to scan your server in quiet mode:

chkrootkit -q
**Example Output**
/usr/lib/libreoffice/share/.registry

WARNING: output from chkwtmp:
1 deletion(s) between Mon Aug 16 02:35:57 2021 and Mon Aug 16 02:41:05 2021

To check all files with a specific directory, you can use the chrootkit command as shown below on Debian 12:

chkrootkit -r /opt

And you can create a bash script for scanning the server & send the scan details report to the mail address. To do this, you can use the vi editor to create the file:

vi /etc/cron.daily/chkrootkit.sh

Add the following lines:

#!/bin/sh
(
chkrootkit
) | /bin/mail -s 'CHROOTKIT Daily Run (Server-Name)' example@email.com

To enable the daily Schedule check, edit the file below:

vi /etc/chkrootkit.conf

And change the line below as shown:

RUN_DAILY="true"

When you are done, save and close the file. This scans the server daily and reports the results to your email address.

For more information, you can visit chkrootkit’s official site.

Conclusion

At this point, you have learned to Install and Use chkrootkit on Debian 12 Bookworm and start to use it on your server. Hope you enjoy it.

Please subscribe to us on Facebook, Instagram, and Twitter.

Alternative Solutions for Rootkit Detection on Debian 12

While chkrootkit is a valuable tool for detecting rootkits, it’s essential to understand its limitations. It’s signature-based and relies on known rootkit patterns. More sophisticated rootkits can evade detection. Therefore, using chkrootkit in conjunction with other security measures is crucial.

Here are two alternative approaches to rootkit detection on Debian 12, providing a more comprehensive security posture:

1. Using rkhunter (Rootkit Hunter)

rkhunter (Rootkit Hunter) is another popular and powerful open-source rootkit scanner for Linux systems. Unlike chkrootkit, which primarily focuses on checking for modified system binaries and known rootkit signatures, rkhunter performs a wider range of checks, including:

  • File Integrity Checks: Verifies the integrity of important system files by comparing them against known good hashes from online databases.
  • Rootkit Signature Checks: Scans for known rootkit signatures and patterns.
  • Suspicious File Properties: Checks for unusual file permissions, hidden files, and other suspicious characteristics.
  • Listening Ports and Processes: Identifies suspicious listening ports and processes that might indicate a rootkit presence.

Installation and Usage of rkhunter on Debian 12:

  1. Installation:

    Install rkhunter using apt:

    apt update
apt install rkhunter -y

  2. Update the Database:

    Before running a scan, update rkhunter’s database of known good files and rootkit signatures:

    rkhunter --update

  3. Run a Scan:

    Perform a rootkit scan:

    rkhunter --check --sk

    The --check option initiates the scan, and the --sk option tells rkhunter to skip pressing a key after each test. This is useful for automated scans.

  4. Review the Logs:

    rkhunter generates detailed logs that you should review for any warnings or suspicious findings. The log file is usually located at /var/log/rkhunter.log.

    less /var/log/rkhunter.log

  5. Automated Scanning (Cron Job):

    To automate rkhunter scans, create a cron job. Edit the crontab using:

    crontab -e

    Add a line like this to run rkhunter daily:

    0 3 * * * /usr/bin/rkhunter --check --sk --report-warnings-only

    This will run rkhunter at 3:00 AM every day and only report warnings, reducing the amount of output you need to review.

Advantages of rkhunter:

  • More comprehensive checks than chkrootkit.
  • File integrity checks help detect rootkits that modify system binaries.
  • Regular database updates keep the scanner up-to-date with the latest rootkit signatures.

Disadvantages of rkhunter:

  • Can generate false positives, requiring careful review of the logs.
  • Requires more configuration and maintenance than chkrootkit.

2. Behavior-Based Intrusion Detection Systems (IDS)

Behavior-based intrusion detection systems (IDS) offer a more proactive approach to security by monitoring system behavior and identifying deviations from established baselines. Unlike signature-based scanners, they can detect zero-day exploits and rootkits that haven’t been seen before.

Example: Using OSSEC (Open Source HIDS SECurity)

OSSEC is a Host-based Intrusion Detection System (HIDS) that performs log analysis, file integrity monitoring, rootkit detection, and real-time alerting.

Installation and Configuration of OSSEC on Debian 12:

  1. Installation:

    First, install OSSEC. This usually involves installing the OSSEC server and an agent on the host you want to monitor. This example shows installation on a single host acting as both server and agent, suitable for smaller deployments.

    apt update
apt install ossec-hids -y

  2. Configuration:

    OSSEC’s configuration file is located at /var/ossec/etc/ossec.conf. You need to configure the server and agent settings according to your needs. This includes specifying which files and directories to monitor for changes, configuring log analysis rules, and setting up alerting mechanisms.

    Here’s a simplified example configuration snippet for /var/ossec/etc/ossec.conf:

    <ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <email_to>example@email.com</email_to>
    <smtp_server>localhost</smtp_server>
  </global>

  <syscheck>
    <schedule>
      <frequency>3600</frequency>
    </schedule>
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
  </syscheck>

  <rootcheck>
    <rootcheck_enabled>yes</rootcheck_enabled>
    <rootcheck_files>/var/ossec/etc/rootcheck/rootcheck_files.txt</rootcheck_files>
  </rootcheck>

</ossec_config>

    This configuration enables email notifications, sets up file integrity monitoring to check /etc, /usr/bin, and /usr/sbin every hour, and enables rootcheck.

  3. Start and Manage OSSEC:

    Start the OSSEC service:

    systemctl start ossec

    Enable OSSEC to start on boot:

    systemctl enable ossec

  4. Review Alerts:

    OSSEC generates alerts based on its configuration and the events it detects. You can review these alerts in the OSSEC logs, which are typically located at /var/ossec/logs/alerts/alerts.log.

Advantages of OSSEC:

  • Real-time monitoring and alerting.
  • Can detect unknown threats based on behavioral anomalies.
  • Centralized log management and analysis.
  • Scalable to monitor multiple hosts.

Disadvantages of OSSEC:

  • More complex to install and configure than chkrootkit or rkhunter.
  • Requires more resources (CPU, memory, disk space).
  • Can generate a large number of alerts, requiring careful tuning to reduce false positives.

By combining tools like chkrootkit with more advanced solutions like rkhunter and behavior-based IDSs such as OSSEC, you can create a layered security approach that significantly improves your ability to detect and prevent rootkit infections on your Debian 12 systems. Using these methods to Install and Use chkrootkit on Debian 12 can increase your security.

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *