Rkhunter is a program that finds rootkits on a Linux server. Rootkits are installed by hackers to always have access to the server. In this document, you can see how to prevent the use of rkhunter rootkits in Ubuntu. To begin installing Rkhunter, you must first install some prerequisites, including a number of prerequisites for using Rkhunter correctly. This can be done using the following command:
apt-get install binutils libreadline5 libruby ruby ruby ssl-cert unhide.rb mailutils
Installing Rkhunter
This utility will be downloaded using wget. If wget is not already installed on your system, then you can enter the following command:
apt-get install wget
After successful installation of wget, you need to download Rkhunter itself. This can be done using the following command:
wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz
Next, you need to deploy the download
tar xzvf rkhunter*
Then go to the Rkhunter directory
cd rkhunter*
Next install Rkhunter
./installer.sh --layout /usr --install
If everything was made well, the installation will show the following output:
Checking system for:
Rootkit Hunter installer files: found
A web file download command: wget found
Starting installation:
Checking installation directory "/usr": it exists and is writable.
Checking installation directories:
Directory /usr/share/doc/rkhunter-1.4.2: creating: OK
Directory /usr/share/man/man8: exists and is writable.
Directory /etc: exists and is writable.
Directory /usr/bin: exists and is writable.
Directory /usr/lib: exists and is writable.
Directory /var/lib: exists and is writable.
Directory /usr/lib/rkhunter/scripts: creating: OK
Directory /var/lib/rkhunter/db: creating: OK
Directory /var/lib/rkhunter/tmp: creating: OK
Directory /var/lib/rkhunter/db/i18n: creating: OK
Directory /var/lib/rkhunter/db/signatures: creating: OK
Installing check_modules.pl: OK
Installing filehashsha.pl: OK
Installing stat.pl: OK
Installing readlink.sh: OK
Installing backdoorports.dat: OK
Installing mirrors.dat: OK
Installing programs_bad.dat: OK
Installing suspscan.dat: OK
Installing rkhunter.8: OK
Installing ACKNOWLEDGMENTS: OK
Installing CHANGELOG: OK
Installing FAQ: OK
Installing LICENSE: OK
Installing README: OK
Installing language support files: OK
Installing ClamAV signatures: OK
Installing rkhunter: OK
Installing rkhunter.conf: OK
Installation complete
Using Rkhunter
Data files contain information about all possible threats. Regular file updates are essential for the entire system. This can be updated using the Rkhunter command
rkhunter --update
The following list will appear:
[ Rootkit Hunter version 1.4.2 ]
Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ Updated ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/tr [ No update ]
Checking file i18n/tr.utf8 [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
Enabling email notifications
Rkhunter can be configured to send an email when a threat is detected. To configure this feature, start by opening the rkhunter.conf file:
vi /etc/rkhunter.conf
Search for MAIL-ON-WARNING and add your email address. You can scroll through the configuration for more options if you want, however, by default everything should work fine. You can check your config file:
rkhunter -C
If there is no output, your config file is valid!