RKHunter is a software that is used to scan for rootkits, backdoors and possible local exploits. A rootkit is a malicious software which is capable of having administrator-level access to a computer or network. The rootkit allows the hackers to take the control of a system without the user knowing it. This post will help you to install rkhunter on CentOS.
Install RKHunter on CentOS
cd /usr/local/src wget https://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.4/rkhunter-1.4.4.tar.gz tar -zxvf rkhunter-1.4.4.tar.gz cd rkhunter-* ./installer.sh --layout default --install
How to check the rkhunter version is up-to-date
root@server [~]# rkhunter --versioncheck [ Rootkit Hunter version 1.4.2 ] Checking rkhunter version... This version : 1.4.2 Latest version: 1.4.2 root@server [~]#
Check for updates to database files
root@server [~]# rkhunter --update [ Rootkit Hunter version 1.4.2 ] Checking rkhunter data files... Checking file mirrors.dat [ No update ] Checking file programs_bad.dat [ No update ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ No update ] Checking file i18n/de [ No update ] Checking file i18n/en [ No update ] Checking file i18n/tr [ No update ] Checking file i18n/tr.utf8 [ No update ] Checking file i18n/zh [ No update ] Checking file i18n/zh.utf8 [ No update ] root@server [~]#
Update the entire file properties database
root@server [~]# rkhunter --propupd [ Rootkit Hunter version 1.4.2 ] File created: searched for 172 files, found 145 root@server [~]#
How to set up a daily RKHunter scan
Create a file under the directory “/etc/cron.daily/”
vim /etc/cron.daily/rkhunter.sh
Put the following script into that file.
#!/bin/bash rm -rf /usr/local/src/SCAN mkdir /usr/local/src/SCAN SCAN=/usr/local/src/SCAN cd $SCAN /usr/local/bin/rkhunter -c --sk -q --summary > $SCAN/scan-rkhunter.log sed -n '/Rootkit checks/,/Suspect applications/p' $SCAN/scan-rkhunter.log | mail -s "Rkhunter Scan Report" your@email.com
Make it executable
chmod +x /etc/cron.daily/rkhunter.sh
That’s it!