How to secure Debian Server 9.X – Scan for malicious items (Rkhunter)
Finally we would like to keep our system clean of any backdoors, rootkits or local exploits. These can happen whenever you pull something (or somebody) to your server. Rkhunter was made to scan for these and compare items with an online database of known items.
Step 1 – Installing Rkhunter
First we will have to download the latest Rkhunter tool. We can find the latest on the website of Rkhunter
|
1 2 |
cd /tmp wget https://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz |
Once downloaded, extract the tarbal and start the installation.
|
1 2 3 |
tar -xf rkhunter-1.4.6.tar.gz cd rkhunter-1.4.6 ./installer.sh --layout default --install |
In the installer you will see something like this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
Checking system for: Rootkit Hunter installer files: found A web file download command: wget found Starting installation: Checking installation directory "/usr/local": it exists and is writable. Checking installation directories: Directory /usr/local/share/doc/rkhunter-1.4.6: creating: OK Directory /usr/local/share/man/man8: creating: OK Directory /etc: exists and is writable. Directory /usr/local/bin: exists and is writable. Directory /usr/local/lib: exists and is writable. Directory /var/lib: exists and is writable. Directory /usr/local/lib/rkhunter/scripts: creating: OK Directory /var/lib/rkhunter/db: creating: OK Directory /var/lib/rkhunter/tmp: creating: OK Directory /var/lib/rkhunter/db/i18n: creating: OK Directory /var/lib/rkhunter/db/signatures: creating: OK Installing check_modules.pl: OK Installing filehashsha.pl: OK Installing stat.pl: OK Installing readlink.sh: OK Installing backdoorports.dat: OK Installing mirrors.dat: OK Installing programs_bad.dat: OK Installing suspscan.dat: OK Installing rkhunter.8: OK Installing ACKNOWLEDGMENTS: OK Installing CHANGELOG: OK Installing FAQ: OK Installing LICENSE: OK Installing README: OK Installing language support files: OK Installing ClamAV signatures: OK Installing rkhunter: OK Installing rkhunter.conf: OK Installation complete |
Step 2- Updating Rkhunter
Once done, we can update & fill our database with the latest properties
|
1 2 |
/usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --propupd |
Output will looke like this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
[ Rootkit Hunter version 1.4.6 ] Checking rkhunter data files… Checking file mirrors.dat [ Updated ] Checking file programs_bad.dat [ No update ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ No update ] Checking file i18n/de [ No update ] Checking file i18n/en [ No update ] Checking file i18n/tr [ No update ] Checking file i18n/tr.utf8 [ No update ] Checking file i18n/zh [ No update ] Checking file i18n/zh.utf8 [ No update ] Checking file i18n/ja [ No update ] [ Rootkit Hunter version 1.4.6 ] File created: searched for 176 files, found 128 |
Step 3 – Creating Cronjob and Email alerts
Create a file called rkhunter.sh under /etc/cron.daily/, which then scans your file system every day and sends email notifications to your email id. Create the following file with the help of your favourite editor.
|
1 |
nano /etc/cron.daily/rkhunter.sh |
Add the following lines of code to it and replace “YourServerNameHere” with your “Server Name” and “[email protected]” with your “Email Id“.
|
1 2 3 4 5 6 |
!/bin/sh ( /usr/local/bin/rkhunter --versioncheck /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --cronjob --report-warnings-only ) | /bin/mail -s 'rkhunter Daily Run (PutYourServerNameHere)' your@email.com |
Set execute permission on the file.
|
1 |
chmod +x /etc/cron.daily/rkhunter.sh |
Step 4 – Manually scanning
To scan our server for a first time, or whenever you want run the following command as root.
|
1 |
rkhunter --check |
The above command generates log file under /var/log/rkhunter.log with the checks results made by Rkhunter.
|
1 |
cat /var/log/rkhunter.log |
There will probably be some warnings, don’t worry or freak out. It’s possible that Rkhunter finds specific things that are just not in the database, or which it doesn’t like the permissions etc.
Conclusion
Now we have secured our system pretty well, we can say te possibility we get compromised has gone alot smaller. By hardening SSH, setting up a firewall, updating regularly and scanning our system we are all good now!
Leave a Reply