Rkhunter is a command-line utility used to scan the local system for rootkits, backdoors, and possible local exploits. It also scans for hidden files, wrong permissions set on binaries, suspicious strings in kernel, and many more potential security problems. Rkhunter works by comparing local files with hashes in an online database. It scans the Linux systems to find out if the server is infected by any rootkits.
In this tutorial, we will show you how to install and use Rkhunter to scan and detect security holes in Ubuntu 20.04.
Prerequisites
- A fresh Ubuntu 20.04 VPS on the Atlantic.Net Cloud Platform
- A root password configured on your server
Step 1 – Create an Atlantic.Net Cloud Server
First, log in to your Atlantic.Net Cloud Server. Create a new server, choosing Ubuntu 20.04 as the operating system with at least 1GB RAM. Connect to your Cloud Server via SSH and log in using the credentials highlighted at the top of the page.
Once you are logged in to your Ubuntu 20.04 server, run the following command to update your base system with the latest available packages.
apt-get update -y
Step 2 – Install Rkhunter
By default, Rkhunter is available in the Ubuntu 20.04 default repository. You can install it with the following command:
apt-get install rkhunter -y
You will be asked for a Mail server setup as shown below:
Click on the OK button. You will be asked to choose a local or Internet mail server as shown below:
Choose your desired mail server and click on the OK button. You will be asked for a hostname as shown below:
Type localhost and click on the OK button to finish the installation.
Now, verify the installed version of Rkhunter with the following command:
rkhunter --version
You should get the following output:
Rootkit Hunter 1.4.6
Step 3 – Configure Rkhunter
Before starting, you will need to configure Rkhunter to scan your system. You can configure it by editing the file /etc/rkhunter.conf:
nano /etc/rkhunter.conf
Change the following lines:
UPDATE_MIRRORS=1 MIRRORS_MODE=0 WEB_CMD=""
Save and close the file when you are finished.
Next, you will need to create /etc/default/rkhunter.conf file to setup regular scans and updates automatically with a cron job.
nano /etc/default/rkhunter.conf
Change the following lines:
CRON_DAILY_RUN="true" CRON_DB_UPDATE="true" APT_AUTOGEN="true"
Save and close the file when you are finished.
Next, run the following command to verify any configuration errors:
rkhunter -C
Step 4 – Update the Database
Rkhunter uses text data files to find suspicious activities on the system, so you will need to update the text data file first. You can update it with the following command:
rkhunter --update
You should get the following output:
[ Rootkit Hunter version 1.4.6 ] Checking rkhunter data files... Checking file mirrors.dat [ Updated ] Checking file programs_bad.dat [ No update ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ Skipped ] Checking file i18n/de [ Skipped ] Checking file i18n/en [ No update ] Checking file i18n/tr [ Skipped ] Checking file i18n/tr.utf8 [ Skipped ] Checking file i18n/zh [ Skipped ] Checking file i18n/zh.utf8 [ Skipped ] Checking file i18n/ja [ Skipped ]
Next, update the Rkhunter data file with the current value by running the following command:
rkhunter --propupd
You should get the following output:
[ Rootkit Hunter version 1.4.6 ] File updated: searched for 179 files, found 135
Step 5 – Start a System Check with Rkhunter
At this point, Rkhunter is installed and configured. Now, perform the test scan against your system with the following command:
rkhunter --check
You should get the following output:
If you want to display only warning messages in the output, run the following command:
rkhunter --check --rwo
You should get the following output:
Warning: The SSH and rkhunter configuration options should be the same: SSH configuration option 'PermitRootLogin': yes Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no Warning: Suspicious file types found in /dev: /dev/shm/PostgreSQL.613016838: data
Step 6 – Setup Email Notifications
It is also recommended to enable email notifications so that Rkhunter sends an email in case a threat is found on your system.
nano /etc/rkhunter.conf
Change the following line:
[email protected]
Save and close the file when you are finished.
Conclusion
Congratulations! You have successfully installed and configured Rkhunter on Ubuntu 20.04 server. I hope you can now easily find backdoors and malware with Rkhunter. We also recommend that after making any changes in your system, run rkhunter –propupd command to update rkhunter to the new file properties. Try out Rkhunter on dedicated server hosting from Atlantic.Net!
