How to Install and Configure Rootkit Hunter on Ubuntu/Debian

  Linux system administration, Security
Rkhunter to detect and prevent security threats on Ubuntu/Debian systems 18.04 20.04 22.04

Rkhunter (Rootkit Hunter) is a tool that scans the system for rootkits, backdoors, and possible local exploits. It is a free and open-source security tool that runs on Linux and Unix-like systems. Rkhunter is a powerful tool that can help you detect and prevent potential security threats on your system. In this article, we will show you how to install and configure Rkhunter on Ubuntu/Debian.

Step 1: Update the System

Before installing Rkhunter, it is important to update the system to the latest version. To update the system, run the following commands:

$ sudo apt update
$ sudo apt upgrade

Step 2: Install Rkhunter

To install Rkhunter, run the following command:

$ sudo apt install rkhunter

This will install Rkhunter and its dependencies on your system.

Step 3: Configure Rkhunter

After installing Rkhunter, you need to configure it to scan your system for potential threats. To do this, you need to edit the Rkhunter configuration file.

$ sudo nano /etc/rkhunter.conf

This will open the Rkhunter configuration file in the Nano text editor.

Step 4: Set the Required Options

In the Rkhunter configuration file, you need to set the following options:

  • UPDATE_MIRRORS: This option enables Rkhunter to update its database of known rootkits and malware. Set this option to 1.
  • CRON_DAILY_RUN: This option enables Rkhunter to run daily scans of your system. Set this option to true.
  • REPORT_EMAIL: This option sets the email address to which Rkhunter will send daily scan reports. Set this option to your email address.
  • ALLOW_SSH_ROOT_USER: This option allows Rkhunter to scan the root user’s SSH files. Set this option to no.
  • ALLOW_SSH_PROT_V1: This option allows Rkhunter to scan SSH version 1 files. Set this option to 2.
  • ALLOW_SYSLOG_REMOTE: This option allows Rkhunter to scan remote syslog servers. Set this option to no.
  • USE_SYSLOG: This option enables Rkhunter to log its activity to the system log. Set this option to authpriv.notice.

After setting the required options, save and close the Rkhunter configuration file.

Step 5: Update Rkhunter Database

Before running the Rkhunter scan, you need to update its database of known rootkits and malware. To do this, run the following command:

$ sudo rkhunter --update

This will update the Rkhunter database on your system.

Step 6: Run Rkhunter Scan

To run the Rkhunter scan, run the following command:

$ sudo rkhunter --check

This will scan your system for potential rootkits and malware.

Step 7: Review the Rkhunter Report

After the Rkhunter scan is complete, you need to review the Rkhunter report to identify any potential threats. The Rkhunter report is located in the following file:

/var/log/rkhunter.log

Open the Rkhunter report using the following command:

$ sudo nano /var/log/rkhunter.log

This will open the Rkhunter report in the Nano text editor.

Review the Rkhunter report to identify any potential threats. If you find any potential threats, you need to investigate them further.

Step 8: Automate Rkhunter Scans

To make sure that your system is continuously scanned for potential security threats, you can automate Rkhunter scans using a cron job. To do this, follow the steps below:

  1. Open the crontab configuration file using the following command:Copy codesudo crontab -e
  2. Add the following line at the bottom of the file to schedule daily Rkhunter scans:sqlCopy code@daily /usr/bin/rkhunter --cronjob --update --quiet This will run a daily Rkhunter scan and update the Rkhunter database. The --quiet option tells Rkhunter to run in quiet mode, which means it will only report potential threats.
  3. Save and close the crontab configuration file.

Now, Rkhunter will run daily scans on your system and send reports to the email address specified in the Rkhunter configuration file.

Conclusion

Rkhunter is an effective instrument for identifying and thwarting potential security risks on your system. In this article, we have shown you how to install and configure Rkhunter on Ubuntu/Debian. We have also shown you how to run Rkhunter scans and review the Rkhunter report. Finally, we have shown you how to automate Rkhunter scans using a cron job. By following these steps, you can keep your system secure and protected from potential security threats.

8 thoughts on - How to Install and Configure Rootkit Hunter on Ubuntu/Debian

    • Hi, you just need to Open the configuration file Then, locate the line that says UPDATE_MIRRORS and change it to “UPDATE_MIRRORS=1”.
      Do the same for the mentioned options.

      Reply

  • Thanks for the reply, I’m too new at this. I can open the config file, (nano), it’s finding the line I can’t seem to figure out.

    Reply

  • Thanks for the reply, left reply to this earlier but it disappeared. I’m very new to this, trying to use nano, have no idea how to find the lines to edit, everyway I have tried says no line found.

    Reply

  • At least for me, none of the rkhunter .day files will update. As well, I received an error regarding a bad value for “ALLOW_SSH_PROT_V1=no”. The application is expecting a numeric value.

    Reply

    • Hi,
      We updated the post.
      A value of ‘2’ may be set here in order to suppress a warning message. A value of ‘0’ indicates that the use of SSH-1 is not allowed.
      Best regards.

      Reply

LEAVE A COMMENT