Atlantic.Net Blog

Detect Linux Security Holes and Rootkits with Rkhunter on Ubuntu 20.04

Hitesh Jethva
by Atlantic.Net (178posts) under Dedicated Server Hosting
0 Comments

Rkhunter is a command-line utility used to scan the local system for rootkits, backdoors, and possible local exploits. It also scans for hidden files, wrong permissions set on binaries, suspicious strings in kernel, and many more potential security problems. Rkhunter works by comparing local files with hashes in an online database. It scans the Linux systems to find out if the server is infected by any rootkits.

In this tutorial, we will show you how to install and use Rkhunter to scan and detect security holes in Ubuntu 20.04.

Prerequisites

  • A fresh Ubuntu 20.04 VPS on the Atlantic.Net Cloud Platform
  • A root password configured on your server

Step 1 – Create an Atlantic.Net Cloud Server

First, log in to your Atlantic.Net Cloud Server.  Create a new server, choosing Ubuntu 20.04 as the operating system with at least 1GB RAM. Connect to your Cloud Server via SSH and log in using the credentials highlighted at the top of the page.

Once you are logged in to your Ubuntu 20.04 server, run the following command to update your base system with the latest available packages.

apt-get update -y

Step 2 – Install Rkhunter

By default, Rkhunter is available in the Ubuntu 20.04 default repository. You can install it with the following command:

apt-get install rkhunter -y

You will be asked for a Mail server setup as shown below:

Click on the OK button. You will be asked to choose a local or Internet mail server as shown below:

Choose your desired mail server and click on the OK button. You will be asked for a hostname as shown below:

Type localhost and click on the OK button to finish the installation.

Now, verify the installed version of Rkhunter with the following command:

rkhunter --version

You should get the following output:

Rootkit Hunter 1.4.6

Step 3 – Configure Rkhunter

Before starting, you will need to configure Rkhunter to scan your system. You can configure it by editing the file /etc/rkhunter.conf:

nano /etc/rkhunter.conf

Change the following lines:

UPDATE_MIRRORS=1

MIRRORS_MODE=0
WEB_CMD=""

Save and close the file when you are finished.

Next, you will need to create /etc/default/rkhunter.conf file to setup regular scans and updates automatically with a cron job.

nano /etc/default/rkhunter.conf

Change the following lines:

CRON_DAILY_RUN="true"
CRON_DB_UPDATE="true"
APT_AUTOGEN="true"

Save and close the file when you are finished.

Next, run the following command to verify any configuration errors:

rkhunter -C

Step 4 – Update the Database

Rkhunter uses text data files to find suspicious activities on the system, so you will need to update the text data file first. You can update it with the following command:

rkhunter --update

You should get the following output:

[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter data files...
Checking file mirrors.dat                                  [ Updated ]
Checking file programs_bad.dat                             [ No update ]
Checking file backdoorports.dat                            [ No update ]
Checking file suspscan.dat                                 [ No update ]
Checking file i18n/cn                                      [ Skipped ]
Checking file i18n/de                                      [ Skipped ]
Checking file i18n/en                                      [ No update ]
Checking file i18n/tr                                      [ Skipped ]
Checking file i18n/tr.utf8                                 [ Skipped ]
Checking file i18n/zh                                      [ Skipped ]
Checking file i18n/zh.utf8                                 [ Skipped ]
Checking file i18n/ja                                      [ Skipped ]

Next, update the Rkhunter data file with the current value by running the following command:

rkhunter --propupd

You should get the following output:

[ Rootkit Hunter version 1.4.6 ]
File updated: searched for 179 files, found 135

Step 5 – Start a System Check with Rkhunter

At this point, Rkhunter is installed and configured. Now, perform the test scan against your system with the following command:

rkhunter --check

You should get the following output:

If you want to display only warning messages in the output, run the following command:

rkhunter --check --rwo

You should get the following output:

Warning: The SSH and rkhunter configuration options should be the same:
SSH configuration option 'PermitRootLogin': yes
Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
Warning: Suspicious file types found in /dev:
/dev/shm/PostgreSQL.613016838: data

Step 6 – Setup Email Notifications

It is also recommended to enable email notifications so that Rkhunter sends an email in case a threat is found on your system.

nano /etc/rkhunter.conf

Change the following line:

[email protected]

Save and close the file when you are finished.

Conclusion

Congratulations! You have successfully installed and configured Rkhunter on Ubuntu 20.04 server. I hope you can now easily find backdoors and malware with Rkhunter. We also recommend that after making any changes in your system, run rkhunter –propupd command to update rkhunter to the new file properties. Try out Rkhunter on dedicated server hosting from Atlantic.Net!

Get A Free To Use Cloud VPS

Free Tier Includes:
G3.2GB Cloud VPS Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year


Looking for a Hosting Solution?

We Provide Cloud, Dedicated, & Colocation.

  • Seven Global Data Center Locations.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now! Med Tech Award FTC
SOC Audit HIPAA Audit HITECH Audit

Recent Posts

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G3.2GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year


New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4

Canada

London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom

Resources