Wednesday, December 9, 2009

Scanning server for malicious tools with rkhunter

SkyHi @ Wednesday, December 09, 2009
rkhunter-log

rkhunter Log

rkhunter (Rootkit Hunter) is a security tool that scans for the presence of rootkits, backdoors and other unwanted tools. Also, it allows additional security scans like: check for wrong file permissions for binaries, MD5 hash compare, look for hidden files and others.

This post provides instructions how to setup and configure rkhunder to run I automatically every day on servers running Linux or Unix.

To install rkhunter, download the latest version from project page. Once the archive is downloaded: extract it and launch the installation script:

<code>tar xvf rkhunter-*.tar.gz
cd rkhunter-*
./installer.sh --layout default --install</code>

After that rebuild rkhunter file properties database:

<code>rkhunter --propupd<br />less /var/log/rkhunter.log</code>

The configuration of this security tool could be done by editing the file /etc/rkhunter.conf. On this file the below parameters should be altered to remind sysadmin about security:

<code>MAIL-ON-WARNING=""<br />ALLOW_SSH_ROOT_USER=without-password<br />ALLOW_SSH_PROT_V1=0</code>

MAIL-ON-WARNING
E-mail a message to this address if a warning is found.

ALLOW_SSH_ROOT_USER and ALLOW_SSH_PROT_V1
Check if SSH daemon configuration is secured by checking the options PermitRootLogin and Protocol. This security measures are applied in article Secure existing OpenSSH installation

To setup daily reporting with rkhunter, issue the command:

<code>cat << EOF >/etc/cron.daily/01-rkhunter<br />#!/bin/sh<br /><br />rkhunter --cronjob --update --versioncheck --rwo &&amp \<br />| mail -s "rkhunter daily run on <strong>ip.address</strong>" <strong>email@addre.ss</strong><br /><br />EOF</code>

The above code will create a shell script named 01-rkhunter in /etc/cron.daily directory. This script will be executed daily by cron.

Finally, the correct permission should be set:

<code>chmod 700 /etc/cron.daily/01-rkhunter<br /><br />Reference: <a href="http://www.sysadmin.md/scanning-server-for-malicious-tools-with-rkhunter.html">http://www.sysadmin.md/scanning-server-for-malicious-tools-with-rkhunter.html</a><br /></code>