Rkhunter stands for “Rootkit Hunter” is a free and open-source vulnerability scanner for Linux operating systems. It scans for rootkits, and other possible vulnerabilities including, hidden files, wrong permissions set on binaries, suspicious strings in kernel etc. It compares the SHA-1 hashes of all files in your local system with the known good hashes in an online database. It also checks the local system commands, startup files, and network interfaces for listening services and applications.

In this tutorial, we will explain, how to install and use Rkhunter on Debian 10 server.

Prerequisites

  • A server running Debian 10.
  • A root password is configured on the server.

Install and Configure Rkhunter

By default, the Rkhunter package is available in the Debian 10 default repository. You can install it by simply running the following command:

apt-get install rkhunter -y

Once the installation is completed, you will need to configure Rkhunter before scanning your system. You can configure it by editing the file /etc/rkhunter.conf.

nano /etc/rkhunter.conf

Change the following lines:

#Enable the mirror checks.
UPDATE_MIRRORS=1

#Tells rkhunter to use any mirror.
MIRRORS_MODE=0

#Specify a command which rkhunter will use when downloading files from the Internet
WEB_CMD=""

Save and close the file when you are finished. Next, verify the Rkhunter for any configuration syntax error with the following command:

rkhunter -C

Update Rkhunter and Set the Security Baseline

Next, you will need to update the data file from the internet mirror. You can update it with the following command:

rkhunter --update

You should get the following output:

[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ Updated ]
  Checking file programs_bad.dat                             [ No update ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ Skipped ]
  Checking file i18n/de                                      [ Skipped ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/tr                                      [ Skipped ]
  Checking file i18n/tr.utf8                                 [ Skipped ]
  Checking file i18n/zh                                      [ Skipped ]
  Checking file i18n/zh.utf8                                 [ Skipped ]
  Checking file i18n/ja                                      [ Skipped ]

Next, verify the Rkhunter version information with the following command:

rkhunter --versioncheck

You should get the following output:

[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter version...
  This version  : 1.4.6
  Latest version: 1.4.6

Next, set the security baseline with the following command:

rkhunter --propupd

You should get the following output:

[ Rootkit Hunter version 1.4.6 ]
File updated: searched for 180 files, found 140

Perform Test Run

At this point, Rkhunter is installed and configured. Now, its time to perform the security scan against your system. You do it by running the following command:

rkhunter --check

You will need to press Enter for every security check as shown below:

System checks summary
=====================

File properties checks...
    Files checked: 140
    Suspect files: 3

Rootkit checks...
    Rootkits checked : 497
    Possible rootkits: 0

Applications checks...
    All checks skipped

The system checks took: 2 minutes and 10 seconds

All results have been written to the log file: /var/log/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

You can use the option –sk to avoid pressing Enter and the option –rwo to display only warning as shown below:

rkhunter --check --rwo --sk

You should get the following output:

Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/which' has been replaced by a script: /usr/bin/which: POSIX shell script, ASCII text executable
Warning: The SSH and rkhunter configuration options should be the same:
         SSH configuration option 'PermitRootLogin': yes
         Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no

You can also check the Rkhunter logs using the following command:

tail -f /var/log/rkhunter.log

Schedule Regular Scan with Cron

It is recommended to configure Rkhunter to scan your system regularly. You can configure it by editing the file /etc/default/rkhunter:

nano /etc/default/rkhunter

Change the following lines:

#Perform security check daily
CRON_DAILY_RUN="true"

#Enable weekly database updates.
CRON_DB_UPDATE="true"

#Enable automatic database updates
APT_AUTOGEN="true"

Save and close the file when you are finished.

Conclusion

Congratulations! you have successfully installed and configured Rkhunter on Debian 10 server. You can now use Rkhunter regularly to protect your server from malware.

How to scan a Debian server for rootkits with Rkhunter