Scanning for Rootkits with rkhunter
Continuing with the scanning for rootkits articles, we now concentrate on installing and configuring rkhunter.
Rkhunter works in the same manner as chkrootkit (see this article) but rkhunter also scans for other types of exploits.
Contents |
Which one?
Neither rkhunter nor chkrootkit are necessarily better than the other and can easily be run at the same time, giving added defence measures and peace of mind.
As with chkrootkit, rkhunter is not an active defence method. It does not prevent exploits being placed on your Server but it will inform you if there is a suspected exploit. Again, as with chkrootkit, if you have been exploited then the only real option is to reinstall with a fresh image.
Installation
Log into your VPS and move to your sources directory:
cd ~/sources
Once there, download the latest version of rkhunter from the SourceForge download area:
wget http://superb-west.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.4.tar.gz
Version 1.3.4 is the latest stable version but do check with the rkhunter home page to see if a newer version is available.
md5sum
Being good sysadmins we want to check the md5sum of the downloaded file before extracting it and installing it.
To find the md5 signature of the downloaded package:
md5sum rkhunter-1.3.4.tar.gz
Compare this with the signature available on the Debian package list - ensure you look at the original download and not the diff patch that Debian applies.
Extract
Once happy, extract the source code:
tar xvfz rkhunter-1.3.4.tar.gz
Then move into the newly created directory:
cd rkhunter-1.2.9/
Install
To install the code, simply issue the following command:
sudo ./installer.sh --layout default --install
Docs
At the end of the install a message tells me:
Installation ready. See /usr/local/rkhunter/lib/rkhunter/docs for more information. Run 'rkhunter' (/usr/local/bin/rkhunter)
Have a read of the main docs:
sudo nano /usr/local/rkhunter/lib/rkhunter/docs/README
I won't go through what it says but do take some time to have a look and see what configurations are available.
Update
First thing is to update the signatures and files rkhunter uses to detect anomalies:
sudo /usr/local/bin/rkhunter --update
Do that at least once or until you get an output like this:
Running updater... Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated Using mirror http://rkhunter.sourceforge.net [DB] Mirror file : Up to date [DB] MD5 hashes system binaries : Up to date [DB] Operating System information : Up to date [DB] MD5 blacklisted tools/binaries : Up to date [DB] Known good program versions : Up to date [DB] Known bad program versions : Up to date
Scanning
Let's run it:
sudo /usr/local/bin/rkhunter -c
This runs rkhunter in an interactive mode. In other words, when it gets to the end of a particular scan, you need to press 'enter' to continue.
My scan results were as follows:
---------------------------- Scan results ---------------------------- MD5 scan Scanned files: 0 Incorrect MD5 checksums: 0 File scan Scanned files: 342 Possible infected files: 0 Application scan Vulnerable applications: 0 Scanning took 79 seconds -----------------------------------------------------------------------
Which is nice.
If you want to skip the interactive mode, add the -sk option at the end:
sudo /usr/local/bin/rkhunter -c -sk
To see other options available for use:
sudo /usr/local/bin/rkhunter
Configuration
You may have configured your Server in a way that triggers warnings from rkhunter.
Firstly, I would say listen to what it says and decide if you really need something that is a security risk and, secondly, if you do want the risk, there are ways of configuring rkhunter so it ignores certain things.
Here's an example. Let's say I ran rkhunter and got this message:
Checking for allowed root login... Watch out Root login possible. Possible risk!
info: "PermitRootLogin yes" found in file /etc/ssh/sshd_config
Hint: See logfile for more information about this issueThat's fairly straight forward: I left the "PermitRootLogin" set to "yes" in my sshd_config file.
Now we know that's a silly thing to do and it's a nice reminder to tighten up our SSH configuration.
But let's say we do want to enable root logins via SSH but don't want a warning every time we run rkhunter.
Enter /usr/local/etc/rkhunter.conf. Open it up:
sudo nano /usr/local/etc/rkhunter.conf
Scan down until you reach this line:
#ALLOW_SSH_ROOT_USER=0
Uncomment the line and change the 0 to a 1
ALLOW_SSH_ROOT_USER=1
Now when we run rkhunter there are no highlighted warnings and this message:
Checking for allowed root login... [ OK (Remote root login permitted by explicit option) ]
Now it's says root logins are OK, but specifies why it's OK: You explicitly allowed it.
However, please don't allow root logins. Thanks.
Automation
Lastly, we know that automation and email notification make an administrator's life a lot easier, so now we can add rkhunter to a cronjob.
This is straight from the rkhunter website: You need to create a short shell script as follows:
#!/bin/sh ( /usr/local/bin/rkhunter --versioncheck /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --cronjob --report-warnings-only ) | /usr/bin/mail -s "rkhunter output" admin@yourdomain.com
Save the file and call it something like 'rkhunterscript'. Make the file executable:
chmod 750 rkhunterscript
and place in your local bin folder or in a public bin folder. Now set a root cronjob as follows:
sudo crontab -e
My cronjob looks like this:
10 3 * * * /home/demo/bin/rkhunterscript -c --cronjob
This will run the script at 3.10am each day. Why 3.10am? Well, I have chkrootkit running at 3.00am, I'd like that to finish before starting this one.
© 2011-2013 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License
See license specifics and DISCLAIMER
1 Comment
UBUNTU 10:03/4:
It's best to install RKH from the repository, then do:
sudo rkhunter --update
sudo rkhunter --propupd
sudo rkhunter --check --sk
RKH should be the first thing installed after your new server has been updated/upgraded. If you install a different version (newer) than in the repository, you will probably have configuration problems and will have to whitelist some files, or make other changes, before RKH will run without warnings. Some of this behavior relates to certain dynamic files peculiar to cloud servers. But mostly it relates to the fact that YOU SHOULD NEVER INSTALL ANYTHING OUTSIDE OF THE OFFICIAL DISTRO REPOSITORIES. IF YOU DO YOU ARE ASKING FOR IT.
Be aware that any of the following will result in RKHunter "false positives": (1) apt-get upgrade; (2) server image restore; (3) server image move/migration; (4) using /etc/rkhunter.conf; (5) any other operations which change or access systems files, or RKH files. So run RKH before and after these operations to see the results. This is important, because if you don't you will never know for certain what caused the warnings. OS upgrades, some ap installs, and general tampering may result in a few warnings. Server image restores and migrations will always result in file permissions/change warnings across the board because file inodes will have changed. Editing or access the rkhunter.conf file will result in warnings.
Use "sudo rkhunter --check --sk" to run without user intervention (interruption).
After all warnings are abated, run "sudo rkhunter --propupd" to create a new RKH file properties baseline.
It is important to set RKH to run at least once a day, if not more often, and to send emails when warnings are detected. That way you can restore from a recent image if you (heaven forbid) have to. This software is otherwise of no value.
If you understand what's going on with RKH, then you will have no problems, and all warnings (except real ones, heaven forbid) will be easily explainable. If you don't pay close attention to what was previously explained, RKH will give you white hair real quick !!!
Add new comment