Skip to main content
LPIC-3 Exam 303

Detecting rootkits with rkhunter in Ubuntu 18.04

By August 19, 2018November 16th, 2018No Comments

We now turn our attention to specific rootkit detection tools and rkhunter. This package is part of our standard Ubuntu repositories and is easy to install:

$ sudo apt install -y rkhunter

With the installation complete we need to focus on the configuration. This can be found in  the file /etc/rkhunter.conf. Ubuntu have changed some settings from the defaults that cause some issues. There are 3 changes that we should make to ensure scans can complete.

Ensure the following settings are in place

UPDATE_MIRRORS=1
MIRRORS_MODE=0 WEB_CMD=""

We will also enable the scan and updates with cron by editing the file /etc/default/rkhunter:

CRON_DAILY_RUN="true"
CRON_DB_UPDATE=true"
APT_AUTOGEN="true"

The last setting allows the update on an apt update. Execution of rkhunter tool needs to be as the root user, so we use sudo. First we can check that we have the latest rootkit definitions or signatures:

$ sudo rkhunter --update

Next we update the file properties. This is for the checks against sensitive binaries or programs. The file poperties are retrieved from the repositories and not local data. Minimizing the risk of a comprimizing the reference check.

$ sudo rkhunter --propupd

We can also chek the version we are using is up to date:

$ sudo rkhunter --versioncheck

We are now ready to run the check against our system:

$ sudo rkhunter --check

After each check we are displayed the summary for the check. To proceed without these breaks use the –sk option as well.

We can see the output on the screen but it is also written to the log /var/log/rkhunter.log.

The system warns the root access byt SSH is possible. We can and should disallow this in the the file /etc/ssh/sshd_config.

PermitRootLogin=no

With the setting made we can restart the sshd.

$ sudo systemctl restart sshd

Re-running the rkhunter check should now reveal that SSH is secured. Securing the SSHD is important no matter your concern with rootkits. The root user should not be able to login via SSH. A non-privileged account should be used to login. Then making use of sudo once access has been gained.