Installing, configuring and using the rkhunter server vulnerability scanner
On Habré, an application called rkhunter was mentioned more than once. I would like to dwell on it in more detail.
Rkhunter is a scanner of various types of local (potential) vulnerabilities (backdoors, exploits and rootkits) with its regularly updated database.
It is written in bash and perl, so it will work under any unix-based server OS without any problems.
')
To install, you can use the official repositories of the OS on which you want to scan, or by downloading the archive from the official website http://rkhunter.sourceforge.net/
Installation
First launch and preparation
The first run is required to check the system for compatibility and correct installation of the rkhunter itself.
Check for the beginning of the relevance of the installed version
rkhunter --versioncheck
There will be such information by which you can judge the relevance of the version.
[Rootkit Hunter version 1.4.2]
Checking rkhunter version ...
This version: 1.4.2
Latest version: 1.4.2
To maintain the urgency of the vulnerability scan tool on the server, you must run rkhunter with the key --update
rkhunter --update
[Rootkit Hunter version 1.4.2]
Checking rkhunter data files ...
Checking file mirrors.dat [No update]
Checking file programs_bad.dat [No update]
Checking file backdoorports.dat [No update]
Checking file suspscan.dat [Updated]
Checking file i18n / cn [No update]
Checking file i18n / de [Updated]
Checking file i18n / en [No update]
Checking file i18n / tr [Updated]
Checking file i18n / tr.utf8 [Updated]
Checking file i18n / zh [Updated]
Checking file i18n / zh.utf8 [Updated]
The second step is to create a snapshot of the installed system for the rkhunter command:
rkhunter - propupd
[Rootkit Hunter version 1.4.2]
File created: searched for 171 files, found 139
So, the database has been updated and now we are ready to make the first launch of rkhunter for scanning.
rkhunter -c --enable all --disable none
The system will be tested and various messages will be displayed for each of the item checks. After each step, you will need to press Enter to continue. At the very end, the system check summary information will appear:
System checks summary
=====================
File properties checks ...
Files checked: 139
Suspect files: 23
Rootkit checks ...
Rootkits checked: 381
Possible rootkits: 0
Applications checks ...
Applications checked: 3
Suspect applications: 0
The system checks took: 2 minutes and 39 seconds
All results have been written to the log file: /var/log/rkhunter/rkhunter.log
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)
Please note that rkhunter keeps a log file and in it you can see the data that was displayed on the screen during the test.
The first launch and check is made, now we will pass to more thin setup of this remarkable tool.
Rkhunter setup
The rkhunter configuration file can be located in /etc/rkhunter.conf or /usr/local/etc/rkhunter.conf, depending on the OS and distribution.
First of all, let's set up an alert to the email address in the parameter
MAIL-ON-WARNING = "mailbox @"
In the event of a false positive for files of the / bin / which type, you can use the SCRIPTWHITELIST parameter and add files to it that you do not need to check / signal about the problem. Add one by one to the parameter on the line:
SCRIPTWHITELIST = "/ usr / sbin / adduser"
SCRIPTWHITELIST = "/ bin / which
If you use the root user for ssh access and do not intend to disable it, you can disable this check:
ALLOW_SSH_ROOT_USER = yes
After editing the configuration file, save it and check for problems by running rkhunter with the -C key:
rkhunter -C
Run rkhunter to check the system, but add the -rwo switch to display only warnings:
rkhunter -c --enable all --disable none --rwo
Auto start scan
Scheduler settings can be made both from the console and in the ISPmanager control panel.
In the console, you need to run the crontab -e command and add a line for daily scanning:
@daily / usr / bin / rkhunter --cronjob --update --quiet
In ISPmanager4, the scheduler is located in the menu item “Tools” -> “Scheduler (cron)”
In ISPmanager5 this is the “Scheduler” menu item in the “System” section.
As a conclusion I want to remind. Do not forget to run rkhunter --propupd after each configuration file change or OS update. This will prevent false positives.
Rkhunter is a scanner of various types of local (potential) vulnerabilities (backdoors, exploits and rootkits) with its regularly updated database.
It is written in bash and perl, so it will work under any unix-based server OS without any problems.
')
To install, you can use the official repositories of the OS on which you want to scan, or by downloading the archive from the official website http://rkhunter.sourceforge.net/
Installation
- Centos: yum install rkhunter
- Debian / Ubuntu: apt-get install rkhunter
- FreeBSD: make all install clean -C / usr / ports / security / rkhunter or pkg install rkhunter
First launch and preparation
The first run is required to check the system for compatibility and correct installation of the rkhunter itself.
Check for the beginning of the relevance of the installed version
rkhunter --versioncheck
There will be such information by which you can judge the relevance of the version.
[Rootkit Hunter version 1.4.2]
Checking rkhunter version ...
This version: 1.4.2
Latest version: 1.4.2
To maintain the urgency of the vulnerability scan tool on the server, you must run rkhunter with the key --update
rkhunter --update
[Rootkit Hunter version 1.4.2]
Checking rkhunter data files ...
Checking file mirrors.dat [No update]
Checking file programs_bad.dat [No update]
Checking file backdoorports.dat [No update]
Checking file suspscan.dat [Updated]
Checking file i18n / cn [No update]
Checking file i18n / de [Updated]
Checking file i18n / en [No update]
Checking file i18n / tr [Updated]
Checking file i18n / tr.utf8 [Updated]
Checking file i18n / zh [Updated]
Checking file i18n / zh.utf8 [Updated]
The second step is to create a snapshot of the installed system for the rkhunter command:
rkhunter - propupd
[Rootkit Hunter version 1.4.2]
File created: searched for 171 files, found 139
So, the database has been updated and now we are ready to make the first launch of rkhunter for scanning.
rkhunter -c --enable all --disable none
The system will be tested and various messages will be displayed for each of the item checks. After each step, you will need to press Enter to continue. At the very end, the system check summary information will appear:
System checks summary
=====================
File properties checks ...
Files checked: 139
Suspect files: 23
Rootkit checks ...
Rootkits checked: 381
Possible rootkits: 0
Applications checks ...
Applications checked: 3
Suspect applications: 0
The system checks took: 2 minutes and 39 seconds
All results have been written to the log file: /var/log/rkhunter/rkhunter.log
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)
Please note that rkhunter keeps a log file and in it you can see the data that was displayed on the screen during the test.
The first launch and check is made, now we will pass to more thin setup of this remarkable tool.
Rkhunter setup
The rkhunter configuration file can be located in /etc/rkhunter.conf or /usr/local/etc/rkhunter.conf, depending on the OS and distribution.
First of all, let's set up an alert to the email address in the parameter
MAIL-ON-WARNING = "mailbox @"
In the event of a false positive for files of the / bin / which type, you can use the SCRIPTWHITELIST parameter and add files to it that you do not need to check / signal about the problem. Add one by one to the parameter on the line:
SCRIPTWHITELIST = "/ usr / sbin / adduser"
SCRIPTWHITELIST = "/ bin / which
If you use the root user for ssh access and do not intend to disable it, you can disable this check:
ALLOW_SSH_ROOT_USER = yes
After editing the configuration file, save it and check for problems by running rkhunter with the -C key:
rkhunter -C
Run rkhunter to check the system, but add the -rwo switch to display only warnings:
rkhunter -c --enable all --disable none --rwo
Auto start scan
Scheduler settings can be made both from the console and in the ISPmanager control panel.
In the console, you need to run the crontab -e command and add a line for daily scanning:
@daily / usr / bin / rkhunter --cronjob --update --quiet
In ISPmanager4, the scheduler is located in the menu item “Tools” -> “Scheduler (cron)”
In ISPmanager5 this is the “Scheduler” menu item in the “System” section.
As a conclusion I want to remind. Do not forget to run rkhunter --propupd after each configuration file change or OS update. This will prevent false positives.
Source: https://habr.com/ru/post/242865/
All Articles