What is rkhunter and what does it do?

Rkhunter (Rootkit Hunter) is an open-source Unix/Linux security monitoring tool that scans for rootkits, backdoors, and local exploits. It checks files, permissions, and hidden processes to help identify security compromises on your server.

How do I install rkhunter on Ubuntu?

Install rkhunter on Ubuntu using: sudo apt-get install rkhunter. After installation, update its database with: sudo rkhunter --update. Run a scan with: sudo rkhunter --check. Review results in /var/log/rkhunter.log.

How often should I run rkhunter scans?

It is recommended to run rkhunter scans at least weekly, or ideally daily via a cron job. You can set up automated scanning by adding rkhunter --cronjob to your crontab. Regular scanning ensures early detection of any security threats.

Can rkhunter remove rootkits it detects?

Rkhunter is a detection tool, not a removal tool. If it detects a rootkit, you need to manually investigate and remediate the issue. For compromised systems, rebuilding the server from a clean image is often the safest option.

Install rkhunter On Ubuntu -

December 1, 2020 / Nirav Shah

Rkhunter is a common tool for scanning your system for finding general vulnerabilities.

Step 1: Installing dependencies

$apt-get install binutils libreadline5 libruby ruby ruby ssl-cert unhide.rb mailutils

Step 2: Installing rkhunter

$wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz

Untar the download

$tar xzvf rkhunter*

Go to the rkhunter directory

$cd rkhunter*

Install rkhunter:
./installer.sh --layout /usr --install

If the proper installation is done, you will get output like this

Checking system for:
 Rootkit Hunter installer files: found
 A web file download command: wget found
Starting installation:
 Checking installation directory "/usr": it exists and is writable.
 Checking installation directories:
  Directory /usr/share/doc/rkhunter-1.4.2: creating: OK
  Directory /usr/share/man/man8: exists and is writable.
  Directory /etc: exists and is writable.
  Directory /usr/bin: exists and is writable.
  Directory /usr/lib: exists and is writable.
  Directory /var/lib: exists and is writable.
  Directory /usr/lib/rkhunter/scripts: creating: OK
  Directory /var/lib/rkhunter/db: creating: OK
  Directory /var/lib/rkhunter/tmp: creating: OK
  Directory /var/lib/rkhunter/db/i18n: creating: OK
  Directory /var/lib/rkhunter/db/signatures: creating: OK
 Installing check_modules.pl: OK
 Installing filehashsha.pl: OK
 Installing stat.pl: OK
 Installing readlink.sh: OK
 Installing backdoorports.dat: OK
 Installing mirrors.dat: OK
 Installing programs_bad.dat: OK
 Installing suspscan.dat: OK
 Installing rkhunter.8: OK
 Installing ACKNOWLEDGMENTS: OK
 Installing CHANGELOG: OK
 Installing FAQ: OK
 Installing LICENSE: OK
 Installing README: OK
 Installing language support files: OK
 Installing ClamAV signatures: OK
 Installing rkhunter: OK
 Installing rkhunter.conf: OK
Installation complete

Step 3: Check the rkhunter version

$rkhunter --update

[ Rootkit Hunter version 1.4.2 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ Updated ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ No update ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/tr                                      [ No update ]
  Checking file i18n/tr.utf8                                 [ No update ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                 [ No update ]

We are now ready to perform our first test. After the test, we can see errors and warnings.

cat /var/log/rkhunter.log

Step 4: Enabling email notification

vi /etc/rkhunter.conf

You can check your configuration file

rkhunter -C

Conclusion

We learned how to install and use rkhunter for discovering common vulnerabilities in Ubuntu.

Spread Love By Sharing:

Nirav Shah

Nirav Shah is the Director of Eternal Web Pvt Ltd, an AWS Advanced Consulting Partner and certified Odoo Partner based in the UK. With over a decade of experience in cloud computing, digital transformation, and ERP implementation, Nirav helps enterprises adopt the right technology to solve complex business challenges. He specialises in AWS infrastructure, Odoo ERP, and web development solutions for businesses across the UK and beyond.