How to Install rkhunter on Ubuntu 16.04
Categories:
Overview
In this tutorial, we’ll learn how to install rkhunter on ubuntu 16.04. rkhunter (Rootkit Hunter) is an open-source rootkit scanner released under GNU GPL version 2.
Before we go further to install an application that will clean rootkit from our Linux systems, let’s learn what is a rootkit?
According to Techtarget search security
A rootkit is a program or, more often, a collection of software tools that gives a threat actor remote access to and control over a computer or other system.
Comodo as :
In simple language, ‘rootkit’ is basically a software kit used to get to the root of the computer. In other words, a software kit used to gain admin access to the computer and thereby control it.
While McAffee define rookit as:
A rootkit is a kind of software that conceals malware from standard detection methods.
Having a rootkit scanner installed and periodically scan our system for potential rookit will improve our system security.
Install rkhunter on Ubuntu 16.04
Update apt metadata using command below
sudo apt-get update
Install rkhunter using command below. We use --no-install-recommends
option so it will not install Postfix mail server on our systems.
To send scan report we can just directly send our email to email provider that we use or use mail relay like msmtp or ssmtp.
sudo apt-get -y --no-install-recommends install rkhunter
Let’s check version of rkhunter installed on our system. I leave out some output from this command.
rkhunter --version
Rootkit Hunter 1.4.2
...
<a href="https://www.howtodojo.com/wp-content/uploads/2020/01/rkhunter-versioncheck.png"><img class="aligncenter size-full wp-image-1073" src="https://www.howtodojo.com/wp-content/uploads/2020/01/rkhunter-versioncheck.png" alt="rkhunter --version" width="389" height="115"/></a>
Update rkhunter Data
Before we run scan, let’s update rkhunter data
sudo rkhunter --update
Now let’s update file properties database by running the following command
sudo rkhunter --propupd
<a href="https://www.howtodojo.com/wp-content/uploads/2020/01/rkhunter-propupd.png"><img class="aligncenter size-full wp-image-1072" src="https://www.howtodojo.com/wp-content/uploads/2020/01/rkhunter-propupd.png" alt="" width="354" height="52"/></a>
Scan Ubuntu 16.04 for rookit using rkhunter
To scan our systems from rootkit we can pass option -c
to rkhunter.
sudo rkhunter -c
It will take some time to finish the scan, we will need to press enter
several times for the scan to continue and finish.
Setting rkhunter
Configure Email for Warning
Now let’s configure rkhunter email settings for warning found in scan.
Find line
#MAIL-ON-WARNING=root
Uncomment the line and put the email address that you want to receive warning.
MAIL-ON-WARNING=youremail@yourdomain.com
You can put multiple emails separated by comma. I suggest putting group email instead of individual email so warning notification will be seen by multiple person.
Using group email also ensure warning email not missed when a person leave the team.
Enable rkhunter cron daily run
Open /etc/default/rkhunter
. Find line
CRON_DAILY_RUN=""
replace with
CRON_DAILY_RUN="true"
Enable rkhunter weekly database update
Open /etc/default/rkhunter
. Find line
CRON_DB_UPDATE=""
Replace it with
CRON_DB_UPDATE="true"
Enable rkhunter automatic database update
Open /etc/default/rkhunter
. Find line
APT_AUTOGEN="false"
Change the value to true
APT_AUTOGEN="true"
Install Latest Version of rkhunter
At the time of this writing, the latest version of rkhunter is version 1.4.6. The one shipped with ubuntu 16.04 is version 1.4.2. In this section we’ll learn how to install latest version of rkhunter alongside with the one we already install from Ubuntu repository.
We can download the latest version of rkhunter from sourceforge.
Download rkhunter 1.4.6 using wget
$ wget -c https://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz
After download finshed we will have rkhunter-1.4.6.tar.gz
file. Let’s extract the file using command below
tar xzf rkhunter-1.4.6.tar.gz
Go to the directory and run install
cd rkhunter-1.4.6
sudo ./installer.sh --install
By default it will install rkhunter on /usr/local
.
To see more detailed options of the installer you can run
sudo ./installer.sh --help
Now let’s check rkhunter version installed on our system
sudo rkhunter --versioncheck
<a href="https://www.howtodojo.com/wp-content/uploads/2020/01/rkhunter-versioncheck-after-update.png"><img class="aligncenter size-full wp-image-1074" src="https://www.howtodojo.com/wp-content/uploads/2020/01/rkhunter-versioncheck-after-update.png" alt="rkhunter --versioncheck" width="488" height="101"/></a>
Now we have the latest stable version of rkhunter installed.
Summary
In this tutorial, we learned how to install rkhunter on Ubuntu 16.04. We use both rkhunter
from Ubuntu repository and from rkhunter
website.
We learn how to configure and run security scan using rkhunter. I hope this tutorial will be useful to make your systems more secure.