How to secure Debian Server 9.X – Scan for malicious items (Rkhunter)

Finally we would like to keep our system clean of any backdoors, rootkits or local exploits. These can happen whenever you pull something (or somebody) to your server. Rkhunter was made to scan for these and compare items with an online database of known items.

Step 1 – Installing Rkhunter

First we will have to download the latest Rkhunter tool. We can find the latest on the website of Rkhunter

Once downloaded, extract the tarbal and start the installation.

In the installer you will see something like this:

Step 2- Updating Rkhunter

Once done, we can update & fill our database with the latest properties

Output will looke like this:

Step 3 – Creating Cronjob and Email alerts

Create a file called rkhunter.sh under /etc/cron.daily/, which then scans your file system every day and sends email notifications to your email id. Create the following file with the help of your favourite editor.

Add the following lines of code to it and replace “YourServerNameHere” with your “Server Name” and “[email protected]” with your “Email Id“.

Set execute permission on the file.

Step 4 – Manually scanning

To scan our server for a first time, or whenever you want run the following command as root.

The above command generates log file under /var/log/rkhunter.log with the checks results made by Rkhunter.

There will probably be some warnings, don’t worry or freak out. It’s possible that Rkhunter finds specific things that are just not in the database, or which it doesn’t like the permissions etc.

Conclusion

Now we have secured our system pretty well, we can say te possibility we get compromised has gone alot smaller. By hardening SSH, setting up a firewall, updating regularly and scanning our system we are all good now!