How to secure Debian Server 9.X – Scan for malicious items (Rkhunter)

Finally we would like to keep our system clean of any backdoors, rootkits or local exploits. These can happen whenever you pull something (or somebody) to your server. Rkhunter was made to scan for these and compare items with an online database of known items.

Step 1 – Installing Rkhunter

First we will have to download the latest Rkhunter tool. We can find the latest on the website of Rkhunter

cd /tmp
wget https://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz

1 2	cd /tmp wget https://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz

Once downloaded, extract the tarbal and start the installation.

tar -xf rkhunter-1.4.6.tar.gz
cd rkhunter-1.4.6
./installer.sh --layout default --install

tar -xf rkhunter-1.4.6.tar.gz

cd rkhunter-1.4.6

./installer.sh --layout default --install

In the installer you will see something like this:

Checking system for:
  Rootkit Hunter installer files: found
  A web file download command: wget found
 Starting installation:
  Checking installation directory "/usr/local": it exists and is writable.
  Checking installation directories:
   Directory /usr/local/share/doc/rkhunter-1.4.6: creating: OK
   Directory /usr/local/share/man/man8: creating: OK
   Directory /etc: exists and is writable.
   Directory /usr/local/bin: exists and is writable.
   Directory /usr/local/lib: exists and is writable.
   Directory /var/lib: exists and is writable.
   Directory /usr/local/lib/rkhunter/scripts: creating: OK
   Directory /var/lib/rkhunter/db: creating: OK
   Directory /var/lib/rkhunter/tmp: creating: OK
   Directory /var/lib/rkhunter/db/i18n: creating: OK
   Directory /var/lib/rkhunter/db/signatures: creating: OK
  Installing check_modules.pl: OK
  Installing filehashsha.pl: OK
  Installing stat.pl: OK
  Installing readlink.sh: OK
  Installing backdoorports.dat: OK
  Installing mirrors.dat: OK
  Installing programs_bad.dat: OK
  Installing suspscan.dat: OK
  Installing rkhunter.8: OK
  Installing ACKNOWLEDGMENTS: OK
  Installing CHANGELOG: OK
  Installing FAQ: OK
  Installing LICENSE: OK
  Installing README: OK
  Installing language support files: OK
  Installing ClamAV signatures: OK
  Installing rkhunter: OK
  Installing rkhunter.conf: OK
 Installation complete

Checking system for:

Rootkit Hunter installer files: found

A web file download command: wget found

Starting installation:

Checking installation directory "/usr/local": it exists and is writable.

Checking installation directories:

Directory /usr/local/share/doc/rkhunter-1.4.6: creating: OK

Directory /usr/local/share/man/man8: creating: OK

Directory /etc: exists and is writable.

Directory /usr/local/bin: exists and is writable.

Directory /usr/local/lib: exists and is writable.

Directory /var/lib: exists and is writable.

Directory /usr/local/lib/rkhunter/scripts: creating: OK

Directory /var/lib/rkhunter/db: creating: OK

Directory /var/lib/rkhunter/tmp: creating: OK

Directory /var/lib/rkhunter/db/i18n: creating: OK

Directory /var/lib/rkhunter/db/signatures: creating: OK

Installing check_modules.pl: OK

Installing filehashsha.pl: OK

Installing stat.pl: OK

Installing readlink.sh: OK

Installing backdoorports.dat: OK

Installing mirrors.dat: OK

Installing programs_bad.dat: OK

Installing suspscan.dat: OK

Installing rkhunter.8: OK

Installing ACKNOWLEDGMENTS: OK

Installing CHANGELOG: OK

Installing FAQ: OK

Installing LICENSE: OK

Installing README: OK

Installing language support files: OK

Installing ClamAV signatures: OK

Installing rkhunter: OK

Installing rkhunter.conf: OK

Installation complete

Step 2- Updating Rkhunter

Once done, we can update & fill our database with the latest properties

/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --propupd

1 2	/usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --propupd

Output will looke like this:

[ Rootkit Hunter version 1.4.6 ]
 Checking rkhunter data files…
   Checking file mirrors.dat                                  [ Updated ]
   Checking file programs_bad.dat                             [ No update ]
   Checking file backdoorports.dat                            [ No update ]
   Checking file suspscan.dat                                 [ No update ]
   Checking file i18n/cn                                      [ No update ]
   Checking file i18n/de                                      [ No update ]
   Checking file i18n/en                                      [ No update ]
   Checking file i18n/tr                                      [ No update ]
   Checking file i18n/tr.utf8                                 [ No update ]
   Checking file i18n/zh                                      [ No update ]
   Checking file i18n/zh.utf8                                 [ No update ]
   Checking file i18n/ja                                      [ No update ]


 [ Rootkit Hunter version 1.4.6 ]
 File created: searched for 176 files, found 128

[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter data files…

Checking file mirrors.dat [ Updated ]

Checking file programs_bad.dat [ No update ]

Checking file backdoorports.dat [ No update ]

Checking file suspscan.dat [ No update ]

Checking file i18n/cn [ No update ]

Checking file i18n/de [ No update ]

Checking file i18n/en [ No update ]

Checking file i18n/tr [ No update ]

Checking file i18n/tr.utf8 [ No update ]

Checking file i18n/zh [ No update ]

Checking file i18n/zh.utf8 [ No update ]

Checking file i18n/ja [ No update ]

[ Rootkit Hunter version 1.4.6 ]

File created: searched for 176 files, found 128

Step 3 – Creating Cronjob and Email alerts

Create a file called rkhunter.sh under /etc/cron.daily/, which then scans your file system every day and sends email notifications to your email id. Create the following file with the help of your favourite editor.

nano /etc/cron.daily/rkhunter.sh

1	nano /etc/cron.daily/rkhunter.sh

Add the following lines of code to it and replace “YourServerNameHere” with your “Server Name” and “[email protected]” with your “Email Id“.

!/bin/sh 
( 
/usr/local/bin/rkhunter --versioncheck 
/usr/local/bin/rkhunter --update 
/usr/local/bin/rkhunter --cronjob --report-warnings-only 
) | /bin/mail -s 'rkhunter Daily Run (PutYourServerNameHere)' your@email.com

!/bin/sh

(

/usr/local/bin/rkhunter --versioncheck

/usr/local/bin/rkhunter --update

/usr/local/bin/rkhunter --cronjob --report-warnings-only

) | /bin/mail -s 'rkhunter Daily Run (PutYourServerNameHere)' your@email.com

Set execute permission on the file.

chmod +x /etc/cron.daily/rkhunter.sh

1	chmod +x /etc/cron.daily/rkhunter.sh

Step 4 – Manually scanning

To scan our server for a first time, or whenever you want run the following command as root.

rkhunter --check

1	rkhunter --check

The above command generates log file under /var/log/rkhunter.log with the checks results made by Rkhunter.

cat /var/log/rkhunter.log

1	cat /var/log/rkhunter.log

There will probably be some warnings, don’t worry or freak out. It’s possible that Rkhunter finds specific things that are just not in the database, or which it doesn’t like the permissions etc.

Conclusion

Now we have secured our system pretty well, we can say te possibility we get compromised has gone alot smaller. By hardening SSH, setting up a firewall, updating regularly and scanning our system we are all good now!

Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.