Kernic

Just my toughts.

Securing a Root Server #3: Defending Against Rootkits with rkhunter

ยท by Kernic
Category: Server
Tags:#tech, #security, #linux

Part 3 of the server security series: Detecting and defending against rootkits with rkhunter. A guide to installing and configuring this important security tool. This is how you protect your server from hidden threats.

๐Ÿ”Š Read out blogpost
๐Ÿ“ฅ Download MP3

Rootkits are nasty malicious programs that, after infecting a system, hide themselves in files and processes. These little beasts cannot be detected using normal tools like simple process or file monitoring. But we are not defenseless against rootkits; rkhunter hunts the rootkits off the system.

So that you can also secure your server against rootkits, here is a guide from me. As always, for my Linux distribution of choice for servers, Debian.

Installing rkhunter

On Debian

Unsurprisingly, we first install rkhunter via aptitude, for which we request administrator privileges with sudo.

sudo apt install rkhunter

Afterward, we create a copy of the rkhunter files.

sudo cp -p /etc/default/rkhunter /etc/default/rkhunter-COPY-$(date +"%Y%m%d%H%M%S")

We then create a working copy of the configuration, in which we will make our settings.

sudo cp -p /etc/rkhunter.conf /etc/rkhunter.conf.local

sudo nano /etc/rkhunter.conf.local

The following settings are my recommendation. Find them in the file and adjust them accordingly.

โ„น๏ธ

I strongly recommend that you always go through the complete settings and adjust them to your preferences if necessary.

Setting Note
UPDATE_MIRRORS=1 Also updates the mirrors
MIRROR_MODE=0 Also uses external mirror sources
MAIL-ON-WARNING=root Sends you an email if there is a warning
PKGMGR=NONE Sets the package manager, remove the #
PHALANX2_DIRTEST=1 Activates the extended test
WEB_CMD="" Must be set to work around a bug in Debian
USE_LOCKING=1 Prevents rkhunter from running multiple times
SHOW_SUMMARY_WARNINGS_NUMBER=1 Enables displaying the number of warnings

Next, enable the automatic daily execution of rkhunter. Answer all questions with Yes.

sudo dpkg-reconfigure rkhunter

โš ๏ธ

Now it’s important to check that all settings are correctly set.

sudo rkhunter -C

If that runs without errors, then you have configured rkhunter correctly and everything is already up and running. From now on, your server is protected against rootkits as well as possible. rkhunter will now check your file system for rootkits once a day.

As a final step, it is recommended to update rkhunter and, if you wish, to perform a scan.

# update rkhunter
sudo rkhunter --versioncheck
sudo rkhunter --update
sudo rkhunter --propupd

# run rkhunter manually
sudo rkhunter --check