How to Install rkhunter on Ubuntu 16.04

Overview

In this tutorial, we’ll learn how to install rkhunter on ubuntu 16.04. rkhunter (Rootkit Hunter) is an open-source rootkit scanner released under GNU GPL version 2.

Before we go further to install an application that will clean rootkit from our Linux systems, let’s learn what is a rootkit?

According to Techtarget search security

A rootkit is a program or, more often, a collection of software tools that gives a threat actor remote access to and control over a computer or other system.

Comodo as :

In simple language, ‘rootkit’ is basically a software kit used to get to the root of the computer. In other words, a software kit used to gain admin access to the computer and thereby control it.

While McAffee define rookit as:

A rootkit is a kind of software that conceals malware from standard detection methods.

Having a rootkit scanner installed and periodically scan our system for potential rookit will improve our system security.

Install rkhunter on Ubuntu 16.04

Update apt metadata using command below


sudo apt-get update

Install rkhunter using command below. We use --no-install-recommends option so it will not install Postfix mail server on our systems.

To send scan report we can just directly send our email to email provider that we use or use mail relay like msmtp or ssmtp.


sudo apt-get -y --no-install-recommends install rkhunter

Let’s check version of rkhunter installed on our system. I leave out some output from this command.


rkhunter --version
Rootkit Hunter 1.4.2
...

<a href="https://www.howtodojo.com/wp-content/uploads/2020/01/rkhunter-versioncheck.png"><img class="aligncenter size-full wp-image-1073" src="https://www.howtodojo.com/wp-content/uploads/2020/01/rkhunter-versioncheck.png" alt="rkhunter --version" width="389" height="115"/></a>

Update rkhunter Data

Before we run scan, let’s update rkhunter data


sudo rkhunter --update

rkhunter --update output

Now let’s update file properties database by running the following command


sudo rkhunter --propupd

<a href="https://www.howtodojo.com/wp-content/uploads/2020/01/rkhunter-propupd.png"><img class="aligncenter size-full wp-image-1072" src="https://www.howtodojo.com/wp-content/uploads/2020/01/rkhunter-propupd.png" alt="" width="354" height="52"/></a>

Scan Ubuntu 16.04 for rookit using rkhunter

To scan our systems from rootkit we can pass option -c to rkhunter.


sudo rkhunter -c

It will take some time to finish the scan, we will need to press enter several times for the scan to continue and finish.

Setting rkhunter

Configure Email for Warning

Now let’s configure rkhunter email settings for warning found in scan.

Find line


#MAIL-ON-WARNING=root

Uncomment the line and put the email address that you want to receive warning.


MAIL-ON-WARNING=youremail@yourdomain.com

You can put multiple emails separated by comma. I suggest putting group email instead of individual email so warning notification will be seen by multiple person.

Using group email also ensure warning email not missed when a person leave the team.

Enable rkhunter cron daily run

Open /etc/default/rkhunter. Find line


CRON_DAILY_RUN=""

replace with


CRON_DAILY_RUN="true"

Enable rkhunter weekly database update

Open /etc/default/rkhunter. Find line


CRON_DB_UPDATE=""

Replace it with


CRON_DB_UPDATE="true"

Enable rkhunter automatic database update

Open /etc/default/rkhunter. Find line


APT_AUTOGEN="false"

Change the value to true


APT_AUTOGEN="true"

Install Latest Version of rkhunter

At the time of this writing, the latest version of rkhunter is version 1.4.6. The one shipped with ubuntu 16.04 is version 1.4.2. In this section we’ll learn how to install latest version of rkhunter alongside with the one we already install from Ubuntu repository.

We can download the latest version of rkhunter from sourceforge.

Download rkhunter 1.4.6 using wget


$ wget -c https://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz

After download finshed we will have rkhunter-1.4.6.tar.gz file. Let’s extract the file using command below


tar xzf rkhunter-1.4.6.tar.gz

Go to the directory and run install


cd rkhunter-1.4.6
sudo ./installer.sh --install

By default it will install rkhunter on /usr/local.

To see more detailed options of the installer you can run


sudo ./installer.sh --help

Now let’s check rkhunter version installed on our system


sudo rkhunter --versioncheck

<a href="https://www.howtodojo.com/wp-content/uploads/2020/01/rkhunter-versioncheck-after-update.png"><img class="aligncenter size-full wp-image-1074" src="https://www.howtodojo.com/wp-content/uploads/2020/01/rkhunter-versioncheck-after-update.png" alt="rkhunter --versioncheck" width="488" height="101"/></a>

Now we have the latest stable version of rkhunter installed.

Summary

In this tutorial, we learned how to install rkhunter on Ubuntu 16.04. We use both rkhunter from Ubuntu repository and from rkhunter website.

We learn how to configure and run security scan using rkhunter. I hope this tutorial will be useful to make your systems more secure.