How to Install rkhunter on Ubuntu 16.04

In this tutorial, we'll learn how to install rkhunter on ubuntu 16.04. rkhunter (Rootkit Hunter) is an open-source rootkit scanner released under GNU GPL version 2.

Overview  

In this tutorial, we’ll learn how to install rkhunter on ubuntu 16.04. rkhunter (Rootkit Hunter) is an open-source rootkit scanner released under GNU GPL version 2.

Before we go further to install an application that will clean rootkit from our Linux systems, let’s learn what is a rootkit?

According to Techtarget search security

A rootkit is a program or, more often, a collection of software tools that gives a threat actor remote access to and control over a computer or other system.

Comodo as :

In simple language, ‘rootkit’ is basically a software kit used to get to the root of the computer. In other words, a software kit used to gain admin access to the computer and thereby control it.

While McAffee define rookit as:

A rootkit is a kind of software that conceals malware from standard detection methods.

Having a rootkit scanner installed and periodically scan our system for potential rookit will improve our system security.

Install rkhunter on Ubuntu 16.04  

Update apt metadata using command below

sudo apt-get update

Install rkhunter using command below. We use --no-install-recommends option so it will not install Postfix mail server on our systems.

To send scan report we can just directly send our email to email provider that we use or use mail relay like msmtp or ssmtp.

sudo apt-get -y --no-install-recommends install rkhunter

Let’s check version of rkhunter installed on our system. I leave out some output from this command.

rkhunter --version
Rootkit Hunter 1.4.2
...

<a href="https://www.howtodojo.com/wp-content/uploads/2020/01/rkhunter-versioncheck.png"><img class="aligncenter size-full wp-image-1073" src="https://www.howtodojo.com/wp-content/uploads/2020/01/rkhunter-versioncheck.png" alt="rkhunter --version" width="389" height="115"/></a>

Update rkhunter Data  

Before we run scan, let’s update rkhunter data

sudo rkhunter --update

Now let’s update file properties database by running the following command

sudo rkhunter --propupd

<a href="https://www.howtodojo.com/wp-content/uploads/2020/01/rkhunter-propupd.png"><img class="aligncenter size-full wp-image-1072" src="https://www.howtodojo.com/wp-content/uploads/2020/01/rkhunter-propupd.png" alt="" width="354" height="52"/></a>

Scan Ubuntu 16.04 for rookit using rkhunter  

To scan our systems from rootkit we can pass option -c to rkhunter.

sudo rkhunter -c

It will take some time to finish the scan, we will need to press enter several times for the scan to continue and finish.

Setting rkhunter  

Configure Email for Warning  

Now let’s configure rkhunter email settings for warning found in scan.

Find line

#MAIL-ON-WARNING=root

Uncomment the line and put the email address that you want to receive warning.

MAIL-ON-WARNING=[email protected]

You can put multiple emails separated by comma. I suggest putting group email instead of individual email so warning notification will be seen by multiple person.

Using group email also ensure warning email not missed when a person leave the team.

Enable rkhunter cron daily run  

Open /etc/default/rkhunter. Find line

CRON_DAILY_RUN=""

replace with

CRON_DAILY_RUN="true"

Enable rkhunter weekly database update  

Open /etc/default/rkhunter. Find line

CRON_DB_UPDATE=""

Replace it with

CRON_DB_UPDATE="true"

Enable rkhunter automatic database update  

Open /etc/default/rkhunter. Find line

APT_AUTOGEN="false"

Change the value to true

APT_AUTOGEN="true"

Install Latest Version of rkhunter  

At the time of this writing, the latest version of rkhunter is version 1.4.6. The one shipped with ubuntu 16.04 is version 1.4.2. In this section we’ll learn how to install latest version of rkhunter alongside with the one we already install from Ubuntu repository.

We can download the latest version of rkhunter from sourceforge.

Download rkhunter 1.4.6 using wget

wget -c https://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz

After download finshed we will have rkhunter-1.4.6.tar.gz file. Let’s extract the file using command below

tar xzf rkhunter-1.4.6.tar.gz

Go to the directory and run install

cd rkhunter-1.4.6
sudo ./installer.sh --install

By default it will install rkhunter on /usr/local.

To see more detailed options of the installer you can run

sudo ./installer.sh --help

Now let’s check rkhunter version installed on our system

sudo rkhunter --versioncheck

<a href="https://www.howtodojo.com/wp-content/uploads/2020/01/rkhunter-versioncheck-after-update.png"><img class="aligncenter size-full wp-image-1074" src="https://www.howtodojo.com/wp-content/uploads/2020/01/rkhunter-versioncheck-after-update.png" alt="rkhunter --versioncheck" width="488" height="101"/></a>

Now we have the latest stable version of rkhunter installed.

Summary  

In this tutorial, we learned how to install rkhunter on Ubuntu 16.04. We use both rkhunter from Ubuntu repository and from rkhunter website.

We learn how to configure and run security scan using rkhunter. I hope this tutorial will be useful to make your systems more secure.