In this article, we’ll explain how to install Rootkit Hunter in Linux (rkhunter).
Rootkit Hunter is an open-source Unix/Linux based security monitoring and analyzing tool. It is a shell script which carries out various checks on the local system to try and detect known rootkits and malware. It also performs checks to see if commands have been modified, if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications.
This guide will help you with the installation and configuration process.
Install Rootkit Hunter in Linux
Let’s get started.
1. Download Rkhunter
Use following command to download Rkhunter from sourceforge.net.
# cd /tmp
# wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz
For latest version visit https://sourceforge.net/projects/rkhunter/files/rkhunter/
2. Extract and install Rkhunter
After we download Rkhunter, extract it and run the installation script like shown below:
# tar -xvf rkhunter-1.4.6.tar.gz
# cd rkhunter-1.4.6
# ./installer.sh –install
Above script will perform default installation of Rkhunter.
Note: If some form of file permission error is shown, then check that the ‘installer.sh’ script is executable.
The installer also has a help option:
# ./installer.sh –help
The default installation process will install a configuration file, called ‘rkhunter.conf’, into the ‘/etc’ directory or where you chose using the ‘–layout’ switch. You can either edit the main configuration file itself, or create a ‘local’ configuration file for your own settings. This file, which must be called ‘rkhunter.conf.local’, must reside in the same directory as the main configuration file.
Alternatively, or in addition if wished, you can create a directory, named ‘rkhunter.d’, in the same directory as the main configuration file. Within ‘rkhunter.d’ you can then create further configuration files. The only restriction is that the file names end in ‘.conf’.
You should edit the configuration file(s) according to your own system requirements.
3. Update Rkhunter
# rkhunter –update
Before running RKH we will need to fill the file properties database by running the following command:
# rkhunter –propupd
4. Run Rkhunter
To scan the entire file system, run following command as a root user:
# rkhunter -c
The above command generates a log file under /var/log/rkhunter.log with the check results made by Rkhunter.
# cat /var/log/rkhunter.log
Check only warnings using following command:
# grep Warning /var/log/rkhunter.log
Check man page.
# man rkhunter
That’s we have covered basic installation and configuration of Rkhunter.
In this article, we’ve seen how to install Rootkit Hunter in Linux (rkhunter).