Rkhunter is a tool that scans for rootkits, backdoors, and other security issues on Linux systems. It does this by examining your files and comparing the hashes against known values of trusted software and malware. In this tutorial, we will install and set up rkhunter on a Debian 10 Rcs instance.
Prerequisites
- Follow our best practices guide to update your Debian system.
- Create a non-root sudo user.
1. Install Rkhunter
Install rkhunter with apt.
$ sudo apt install rkhunter -y
2. Configure Rkhunter
Rkhunter uses data files to store information on possible threats. Unfortunately, the default configuration of Debian does not allow us to update these files. We will adjust the settings to correct this issue.
Edit the /etc/rkhunter.conf file with nano.
$ sudo nano /etc/rkhunter.conf
Type Ctrl+W to search for WEB_CMD="/bin/false".
Add a#
comment at the beginning of the line to disable the statement.# WEB_CMD="/bin/false"
Type Ctrl+W to search for UPDATE_MIRRORS.
Set UPDATE_MIRRORS value to 1.
UPDATE_MIRRORS=1
Type Ctrl+W to search for MIRRORS_MODE.
Set MIRRORS_MODE value to 0.
MIRRORS_MODE=0
(Optional) Enable email notifications.
Type Ctrl+W to search for MAIL-ON-WARNING.
Remove the#
comment at the beginning of the line and assign an email address.MAIL-ON-WARNING=admin@example.com
Save and exit the file.
3. Confirm Configuration File
Make sure your configuration file is valid with the following command:
$ sudo rkhunter -C
If there is no output, your configuration file is valid.
4. Update the Data Files
Update the rkhunter data files.
$ sudo rkhunter --update
5. Check the Local System
To check the local system, use the check parameter.
$ sudo rkhunter --check
When finished, inspect /var/log/rkhunter.log for warnings and alerts.