Security is always our concern when we have servers contain very sensitive data. There are many security enhancement tools for Linux/Unix bases systems. We go for firewalls and malware detectors sometimes. Here the Rkhunter is also a tool like that but it’s more powerful than the rest of the tools available.
The Rkhunter can help us to find rootkits, backdoors and other exploits and vulnerable scripts, programs etc running on the servers. Are familiar with AIDE? The Rkhunter has the same logic that used by AIDE, it detects file modifications, inspects file permissions, suspicious file names and kernel modules etc.
This can be uses as a auditing tool if the data are so fragile and if we are so concerned about it. I will explain how we can install this tool on a cPanel server. You can also follow the same method even if your server does not have cPanel installed on it. The steps are common.
Install Rkhunter on cPanel servers
- Login to the server as root user.
- Run the following commands on the server to install Rkhunter.
cd /usr wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz tar -zxvf rkhunter-1.4.2.tar.gz cd rkhunter-1.4.2 ./installer.sh --layout default --install
The next step is to update the Rkhunter database, it’s basically copy or save the current system info, like info about the files, permissions etc. Later a modification is done, it will compare that with this saved info.
Run the below commands to update the database for Rkhunter:
# /usr/local/bin/rkhunter --update # /usr/local/bin/rkhunter --propupd
Run rkhunter for the first time
We will go for the command mentioned below to run the tool for the first time:
# rkhunter -c
Automation: add a cronjob to execute Rkhunter
To set cron job and audit the server on daily basis, please do the steps below:
nano -w /etc/cron.daily/rkhunter.sh
Paste this text inside:
#!/bin/sh ( /usr/local/bin/rkhunter --versioncheck /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --cronjob --report-warnings-only ) | /bin/mail -s 'rkhunter Daily Run ($hostname) email@example.com
Set file permissions:
# chmod 700 /etc/cron.daily/rkhunter.sh
That’s all guys, please note that the Rkhunter will not always give the perfect info or output, you can also go for AIDE, OSSEC etc to explore more! Thanks ! 🙂