I installed Rootkit Hunter which is app for detecting rootkit!
Antivirus is not enough for secure server, is it?
Is there any other security apps?
I will show you one of them which is rootkit detecting tool.
What is rootkit?
You can see Wikipedia for detail, to say simply,
Programs to malfunction in target computer.
The difference from virus is,
Virus (Computer virus) Infects to user file and occurs problem. Rootkit Itself occurs problem.
I installed Rootkit Hunter which is famous for rootkit detecting tool.
How to install/use Rootkit Hunter
It can be installed by command.
sudo apt install rkhunter
At this moment it does not work due to configuration(intensionally?).
Let’s correct them.
sudo nvim /etc/rkhunter.conf #UPDATE_MIRRORS=0 UPDATE_MIRRORS=1 #MIRRORS_MODE=1 MIRRORS_MODE=0 #WEB_CMD="/bin/false" WEB_CMD=curl
I tried to update rootkit rule.
It seems to be done successfully.
sudo rkhunter --update [ Rootkit Hunter version 1.4.6 ] Checking rkhunter data files… Checking file mirrors.dat [ Updated ] Checking file programs_bad.dat [ No update ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ Skipped ] Checking file i18n/de [ Skipped ] Checking file i18n/en [ No update ] Checking file i18n/tr [ Skipped ] Checking file i18n/tr.utf8 [ Skipped ] Checking file i18n/zh [ Skipped ] Checking file i18n/zh.utf8 [ Skipped ] Checking file i18n/ja [ Skipped ]
I tried scanning by using “–skip-keypress” option to avoid interaction.
sudo rkhunter --check --skip-keypress
No problem are detected.
sudo rkhunter --check --skip-keypress [ Rootkit Hunter version 1.4.6 ] (snip) System checks summary File properties checks… Files checked: 142 Suspect files: 3 Rootkit checks… Rootkits checked : 496 Possible rootkits: 0 Applications checks… All checks skipped The system checks took: 3 minutes and 52 seconds All results have been written to the log file: /var/log/rkhunter.log One or more warnings have been found while checking the system. Please check the log file (/var/log/rkhunter.log)
I setup cron to scan everyday.
Basically you can refer this page for complete contents.
#!/bin/sh /usr/bin/rkhunter –-versioncheck /usr/bin/rkhunter –-update /usr/bin/rkhunter –-cronjob –-report-warnings-only | /usr/bin/mail -s “rkhunter output” firstname.lastname@example.org
I added exec rights and moved cron.daily directory.
sudo chmod 755 rkhunter sudo chown root:root rkhunter sudo mv rkhunter /etc/cron.daily/
The next day I found new mail from Rootkit Hunter.
– I temporarily removed “–report-warnings-only” for testing.
Contents are empty, I guess no warnings are found.
Everyday scanning looks working fine, so it’s good!
How was it?
It’s easy, so no reason for you to consider!
Security topics are organized in this article, let’s see!