{"id":1125,"date":"2018-10-28T16:49:06","date_gmt":"2018-10-28T13:49:06","guid":{"rendered":"http:\/\/kifarunix.com\/?p=1125"},"modified":"2024-03-11T19:55:45","modified_gmt":"2024-03-11T16:55:45","slug":"how-to-install-rkhunter-rootkit-hunter-on-ubuntu-18-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-install-rkhunter-rootkit-hunter-on-ubuntu-18-04\/","title":{"rendered":"How to Install RKHunter (RootKit Hunter) On Ubuntu 18.04"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to install RKHunter (RootKit Hunter) On Ubuntu 18.04. <a href=\"https:\/\/linux.die.net\/man\/8\/rkhunter\" target=\"_blank\" rel=\"noreferrer noopener\">RootKit Hunter<\/a> is a Unix-based shell script that can scan the local system for rootkits, backdoors and possible local exploits. It does this by comparing the SHA-1 hashes of the local files with the known good hashes in an online database.<\/p>\n\n\n\n<p>It can also monitor the local system commands, startup files, network interfaces for any alteration as well as listening applications.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Installing RKHunter On Ubuntu<\/h2>\n\n\n\n<p>The rkhunter packages is available in standard Ubuntu repositories hence we can install it by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt update<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install rkhunter -y<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Configure and Use RKHunter<\/h2>\n\n\n\n<p>Once the installation is done, you need to configure RKHunter before you can use it to scan your system. Therefore open the configuration file, <strong class=\"userinput\"><code>\/etc\/rkhunter.conf<\/code><\/strong>, and make the changes as shown below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/rkhunter.conf<\/code><\/pre>\n\n\n\n<p>Set the value of <code>UPDATE_MIRRORS<\/code> to 1. This ensures that the mirror files are also checked for updates when checking for rkhunter updated date files with the <strong class=\"userinput\"><code>--update<\/code><\/strong> option.<\/p>\n\n\n\n<p><strong class=\"userinput\"><code>UPDATE_MIRRORS=1<\/code><\/strong><\/p>\n\n\n\n<p>Set the value of&nbsp; <code>MIRRORS_MODE<\/code> to 0. The MIRRORS_MODE option tells rkhunter which mirrors are to be used when the &#8211;update or <strong class=\"userinput\"><code>--versioncheck<\/code><\/strong> command-line options are given. There are three possible values for this;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>0 &#8211; use any mirror<\/li>\n\n\n\n<li>1 &#8211; only use local mirrors<\/li>\n\n\n\n<li>2 &#8211; only use remote mirrors<\/li>\n<\/ul>\n\n\n\n<p><strong class=\"userinput\"><code>MIRRORS_MODE=0<\/code><\/strong><\/p>\n\n\n\n<p>Set the value of <code>WEB_CMD<\/code> to null, <strong>&#8220;&#8221;<\/strong>. This option can be set to a command which rkhunter will use when downloading files from the Internet &#8211; that is, when the &#8211;versioncheck or &#8211;update option is used. In this case we are not specifying any command.<\/p>\n\n\n\n<p><strong class=\"userinput\"><code>WEB_CMD=\"\"<\/code><\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Enable regular scan and updates with cron<\/h3>\n\n\n\n<p>RKHunter script is installed under under cron.daily directory for regular scan and updates. the script is therefore executed everyday by Cron.<\/p>\n\n\n\n<p>Edit the <strong class=\"userinput\"><code>\/etc\/default\/rkhunter.conf<\/code><\/strong> and make the following changes.<\/p>\n\n\n\n<p>Enable rkhunter scan checks to run daily by setting the value of <code>CRON_DAILY_RUN<\/code> to &#8220;<strong>true&#8221;.<\/strong><\/p>\n\n\n\n<p><strong class=\"userinput\"><code>CRON_DAILY_RUN=\"true\"<\/code><\/strong><\/p>\n\n\n\n<p>Set the value of <code>CRON_DB_UPDATE<\/code> to <strong>true<\/strong> to enable rkhunter weekly database updates.<\/p>\n\n\n\n<p><strong class=\"userinput\"><code>CRON_DB_UPDATE=\"true\"<\/code><\/strong><\/p>\n\n\n\n<p>Set the value of to <code>APT_AUTOGEN<\/code> to&nbsp;<strong>true<\/strong> to enable automatic database updates. This ensures that <code><strong>rkhunter --propupd<\/strong><\/code> is run automatically after software updates in order to reduce false positives.<\/p>\n\n\n\n<p><strong class=\"userinput\"><code>APT_AUTOGEN=\"true\"<\/code><\/strong><\/p>\n\n\n\n<p>Once you are done, save the configuration file and quit.<\/p>\n\n\n\n<p>Run the command below to check for any unrecognised configuration options. If any configuration problems are found, then they will be displayed and the return code will be set to 1.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>rkhunter -C<\/code><\/pre>\n\n\n\n<p>You can also use <code>--config-check<\/code> option instead of <strong>-C<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Update rkhunter text data files<\/h3>\n\n\n\n<p>After configuring rkhunter, run the command below to update rkhunter text data files. Note that these are the files that rkhunter uses to determine suspicious activities on the system and thus they should be kept upto-date.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>rkhunter --update<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n[ Rootkit Hunter version 1.4.6 ]\n\nChecking rkhunter data files...\n  Checking file mirrors.dat                                  [ No update ]\n  Checking file programs_bad.dat                             [ No update ]\n  Checking file backdoorports.dat                            [ No update ]\n  Checking file suspscan.dat                                 [ No update ]\n  Checking file i18n\/cn                                      [ Skipped ]\n  Checking file i18n\/de                                      [ Skipped ]\n  Checking file i18n\/en                                      [ No update ]\n  Checking file i18n\/tr                                      [ Skipped ]\n  Checking file i18n\/tr.utf8                                 [ Skipped ]\n  Checking file i18n\/zh                                      [ Skipped ]\n  Checking file i18n\/zh.utf8                                 [ Skipped ]\n  Checking file i18n\/ja                                      [ Skipped ]\n<\/code><\/pre>\n\n\n\n<p>The <code>i18n\/*<\/code> files are just for localization purposes, so they are not essential for core program functionality. So the output above,&nbsp;<code><strong>i18n\/en<\/strong><\/code>, shows that English strings are already on the system.<\/p>\n\n\n\n<p>Note that it may not be a good idea to run rkhunter with <strong class=\"userinput\"><code>--update<\/code><\/strong> as it posses a security risk. Therefore let your package manager take care of keeping it updated.<\/p>\n\n\n\n<p>You can also the version of the rkhunter by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>rkhunter --versioncheck<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>[ Rootkit Hunter version 1.4.6 ]\n\nChecking rkhunter version...\n  This version  : 1.4.6\n  Latest version: 1.4.6<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Set the Security Baseline for your system<\/h3>\n\n\n\n<p>RKHhunter compares various current file properties of various commands within the system against those it has previously stored. To update rkhunter data file of stored values with the current values, run the rkhunter with <strong class=\"userinput\"><code>--propupd<\/code> <\/strong>option.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>rkhunter --propupd<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>[ Rootkit Hunter version 1.4.6 ]\nFile updated: searched for 180 files, found 147<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Perform System Check<\/h3>\n\n\n\n<p>Now that we are done with configuring rkhunter, run the command below to perform test scan against your system.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>rkhunter --check<\/code><\/pre>\n\n\n\n<p>This is the sample output of the command above.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n<strong>...output snipped...<\/strong>\nChecking the network...\n\n  Performing checks on the network ports\n    Checking for backdoor ports                              [ None found ]\n\n  Performing checks on the network interfaces\n    Checking for promiscuous interfaces                      [ None found ]\n\nChecking the local host...\n\n  Performing system boot checks\n    Checking for local host name                             [ Found ]\n    Checking for system startup files                        [ Found ]\n    Checking system startup files for malware                [ None found ]\n\n  Performing group and account checks\n    Checking for passwd file                                 [ Found ]\n    Checking for root equivalent (UID 0) accounts            [ None found ]\n    Checking for passwordless accounts                       [ None found ]\n    Checking for passwd file changes                         [ None found ]\n    Checking for group file changes                          [ None found ]\n    Checking root account shell history files                [ OK ]\n\n  Performing system configuration file checks\n    Checking for an SSH configuration file                   [ Found ]\n    Checking if SSH root access is allowed                   [ <strong>Warning<\/strong> ]\n    Checking if SSH protocol v1 is allowed                   [ Not set ]\n    Checking for other suspicious configuration settings     [ None found ]\n    Checking for a running system logging daemon             [ Found ]\n    Checking for a system logging configuration file         [ Found ]\n    Checking if syslog remote logging is allowed             [ Not allowed ]\n\n  Performing filesystem checks\n    Checking \/dev for suspicious file types                  [ None found ]\n    Checking for hidden files and directories                [ <strong>Warning<\/strong> ]\n\n[Press &lt;ENTER&gt; to continue]\n\nSystem checks summary\n=====================\n\nFile properties checks...\n    Files checked: 147\n    Suspect files: 0\n\nRootkit checks...\n    Rootkits checked : 503\n    Possible rootkits: 0\n\nApplications checks...\n    All checks skipped\n\nThe system checks took: 1 minute and 43 seconds\n\nAll results have been written to the log file: \/var\/log\/rkhunter.log\n\nOne or more warnings have been found while checking the system.\nPlease check the log file (\/var\/log\/rkhunter.log)\n<\/code><\/pre>\n\n\n\n<p>As you can see above, there are some warnings for example <strong>SSH root access is allowed<\/strong>. You can the remediate whatever the issue found on your system by rkhunter.<\/p>\n\n\n\n<p>To avoid having to press ENTER for every check, you can pass the <strong class=\"userinput\"><code>--sk or --skip-keypress<\/code> <\/strong>option.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>rkhunter --check --sk<\/code><\/pre>\n\n\n\n<p>To display warning messages only, use the <strong class=\"userinput\"><code>--rwo or --report-warnings-only<\/code> <\/strong>option.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>rkhunter --check --rwo<\/code><\/pre>\n\n\n\n<p>RKHunter log file is:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/var\/log\/rkhunter.log<\/code><\/pre>\n\n\n\n<p>You also noticed that hidden files and directories warnings are given. To avoid these warnings, you can reconfigure rkhunter to ignore these files via whitelisting. For example in my test, i found this warning;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>Warning: Hidden directory found: <strong>\/etc\/.java<\/strong><\/code><\/pre>\n\n\n\n<p>To whitliest this file, open the rkhunter config file and uncomment the line <strong><code>#ALLOWHIDDENDIR=\/etc\/.java<\/code> <\/strong>such that it looks like;<\/p>\n\n\n\n<p><strong><code>ALLOWHIDDENDIR=\/etc\/.java<\/code><\/strong><\/p>\n\n\n\n<p>If you got other files, you can uncomment them in the rkhunter configuration file as shown above.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Email Notifications<\/h3>\n\n\n\n<p>You may also want to send the results via Email in case a threat is found on your system. To do this, you need to edit rkhunter configuration file and set a value of <strong><code>MAIL-ON-WARNING<\/code> <\/strong>to your email address.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/rkhunter.conf<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>MAIL-ON-WARNING=username@domain<\/code><\/pre>\n\n\n\n<p>Replace <strong>username@domain<\/strong> with your email address<\/p>\n\n\n\n<p>You also set the email command to use.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>MAIL_CMD=mail -s \"[rkhunter] Warnings found for ${HOST_NAME}\"<\/code><\/pre>\n\n\n\n<p>Once done, save the configuration file and check for any misconfigurations as shown above.<\/p>\n\n\n\n<p>You can now be able to receive emails in case any threat is found on your system. See the example mail below.<\/p>\n\n\n\n<figure class=\"wp-block-image alignnone\"><a href=\"http:\/\/kifarunix.com\/wp-content\/uploads\/2018\/10\/rkhunter-email-notification.png\"><img loading=\"lazy\" decoding=\"async\" width=\"662\" height=\"313\" src=\"http:\/\/kifarunix.com\/wp-content\/uploads\/2018\/10\/rkhunter-email-notification.png\" alt=\"rkhunacter-email-notification\" class=\"wp-image-1127\" title=\"\"><\/a><figcaption class=\"wp-element-caption\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rkhunacter-email-notification<\/figcaption><\/figure>\n\n\n\n<p>That is all we could cover about how to install RKHunter (RootKit Hunter) On Ubuntu 18.04.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-clamav-on-ubuntu\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install ClamAV on Ubuntu 22.04<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-nikto-web-scanner-on-rocky-linux-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Nikto Web Scanner on Rocky Linux 8<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to install RKHunter (RootKit Hunter) On Ubuntu 18.04. RootKit Hunter is a Unix-based shell script that can scan<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,34],"tags":[217],"class_list":["post-1125","post","type-post","status-publish","format-standard","hentry","category-howtos","category-security","tag-rkhunter","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1125"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=1125"}],"version-history":[{"count":5,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1125\/revisions"}],"predecessor-version":[{"id":21020,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1125\/revisions\/21020"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=1125"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=1125"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=1125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}