• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Urban Penguin

The Urban Penguin - Linux Training

  • Home
  • About
  • Live Online Courses
  • Shop
  • RHCSA Guide
  • Programming
    • Master Editing Text Files Using VIM
    • Learn Shell Scripting with BASH
    • PERL Scripting in Linux
    • Ruby Scripting in Linux
    • Scripting with PowerShell
    • Learn C Programming using Linux and the Raspberry Pi
    • General Java Tutorials
    • Java 7 OCA Exam 1ZO-803
  • OS Tutorials
    • Red Hat and CentOS Training
      • Red Hat Enterprise Linux System Administration 1 – RH124
      • RHCSA – System Admin 2 – RH134
      • RHCE – EX294 – Automation With Ansible
    • Learning Ubuntu
    • LPI Training
      • LPI Linux Essentials
      • LPIC-1 Linux Administrator
      • LPIC-2 Certified Linux Engineer
      • LPIC-3 Senior Level Certification
        • LPIC-3 Exam 300 : Mixed Environments
        • LPIC-3 Exam 303 : Security
        • LPIC-3 Exam 304 : Virtualization and High Availability
    • Linux Technologies
      • Apache HTTPD Server
      • Learning PHP
      • Learning PUPPET
      • Learning SAMBA
      • Linux File-Systems
      • Monitoring with Nagios Core
      • MYSQL
      • openLDAP Directories on Linux
You are here: Home / Linux / LPIC-3 Exam 303 / Detecting rootkits with rkhunter in Ubuntu 18.04

Detecting rootkits with rkhunter in Ubuntu 18.04

August 19, 2018 by The Urban Penguin

We now turn our attention to specific rootkit detection tools and rkhunter. This package is part of our standard Ubuntu repositories and is easy to install:

$ sudo apt install -y rkhunter

With the installation complete we need to focus on the configuration. This can be found in  the file /etc/rkhunter.conf. Ubuntu have changed some settings from the defaults that cause some issues. There are 3 changes that we should make to ensure scans can complete.

Ensure the following settings are in place

UPDATE_MIRRORS=1
MIRRORS_MODE=0 WEB_CMD=""

We will also enable the scan and updates with cron by editing the file /etc/default/rkhunter:

CRON_DAILY_RUN="true"
CRON_DB_UPDATE=true"
APT_AUTOGEN="true"

The last setting allows the update on an apt update. Execution of rkhunter tool needs to be as the root user, so we use sudo. First we can check that we have the latest rootkit definitions or signatures:

$ sudo rkhunter --update

Next we update the file properties. This is for the checks against sensitive binaries or programs. The file poperties are retrieved from the repositories and not local data. Minimizing the risk of a comprimizing the reference check.

$ sudo rkhunter --propupd

We can also chek the version we are using is up to date:

$ sudo rkhunter --versioncheck

We are now ready to run the check against our system:

$ sudo rkhunter --check

After each check we are displayed the summary for the check. To proceed without these breaks use the –sk option as well.

We can see the output on the screen but it is also written to the log /var/log/rkhunter.log.

The system warns the root access byt SSH is possible. We can and should disallow this in the the file /etc/ssh/sshd_config.

PermitRootLogin=no

With the setting made we can restart the sshd.

$ sudo systemctl restart sshd

Re-running the rkhunter check should now reveal that SSH is secured. Securing the SSHD is important no matter your concern with rootkits. The root user should not be able to login via SSH. A non-privileged account should be used to login. Then making use of sudo once access has been gained.

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to share on Pinterest (Opens in new window)
  • Click to share on Tumblr (Opens in new window)
  • Click to print (Opens in new window)

Filed Under: LPIC-3 Exam 303

Primary Sidebar

Newest Video

The Urban Penguin On Youtube

Products

  • Complete RHCSA 8 Study Guide Complete RHCSA 8 Study Guide £5.99
  • SELinux Guide SELinux Fundamentals in Red Hat Enterprise Linux 8 £1.99
  • Managing POSIX ACLS in Linux £0.99
  • Managing Linux File Permissions £0.99
  • Kernel Module Administration in Linux £0.99

Categories

Pages

  • About The Urban Penguin
  • Contact Us
  • Shop
    • Basket
    • Checkout
    • My Account
  • LPI Training from The Urban Penguin
    • Live and Pluralsight hosted courses
    • Complete Linux Essentials
    • LPIC-3 Senior Level Certification
      • LPIC-3 Exam 300 : Mixed Environments
      • LPIC-3 Exam 303 : Security
      • LPIC-3 Exam 304 : Virtualization and High Availability
    • LPIC-2 Certified Linux Engineer
    • LPIC-1 Linux Administrator
    • LPI Linux Essentials for Raspberry Pi
    • LPI Linux Essentials
  • Operating System Tutorials
    • Linux Foundation Training
    • Solaris 11 OCA 1ZO-821
    • Learning Ubuntu
    • Learning SUSE
    • Red Hat and CentOS Training
      • RHCE – EX294 – Automation With Ansible
      • RHCSA – System Admin 1 – RH124
      • RHCSA – System Admin 2 – RH134
  • Scripting – the power of repetition!
    • Java 7 OCA Exam 1ZO-803
    • General Java Tutorials
    • Learn C Programming using Linux and the Raspberry Pi
    • Ruby Scripting in Linux
    • Scripting with PowerShell
    • PERL Scripting in Linux
    • Learn Shell Scripting with BASH
    • Master Editing Text Files Using VIM
  • Linux Technologies
    • Learning PUPPET
    • openLDAP Directories on Linux
    • Monitoring with Nagios Core
    • Linux File-Systems
    • Learning SAMBA
    • Apache HTTPD Server
    • Learning PHP
    • MYSQL
  • OpenStack
    • Pluralsight
    • Udemy
    • Raspberry Pi Tutorials
    • Citrix Videos
  • Online Instructor-led Courses
    • Red Hat Enterprise Linux System Administration 1 – RH124
    • SELinux Masterclass
    • Bash Scripting Masterclass
    • Nftables Masterclass

© 2021 The Urban Penguin · All Rights Reserved

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok