Installation Rootkit Hunter (rkhunter) on CentOS 5
2016-01-20 00:00
543 查看
摘要:
Rootkit Hunter (rkhunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits.
Rootkits are self-hiding toolkits secretly installed by a malicious intruder to allow that user to gain access to the server. Rootkit Hunter offers protection by comparing SHA-1 hashes of important files with known good ones in a online database as well as:
MD5 hash compare
Look for default files used by rootkits
Wrong file permissions for binaries
Look for suspected strings in LKM and KLD modules
Look for hidden files
Optional scan within plaintext and binary files
Installation
1.1 Download Rootkit Hunter
Begin by downloading the latest stable version of Rkhunter by using the wget command. The /usr/local/src folder is where you should put any programs (source or binary) you've downloaded before installing them.
Make sure to check for the latest available version here, and append the instructions below accordingly.
cd /usr/local/src
wget http://dfn.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.4.2.tar.gz
wget http://dfn.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.4.2.tar.gz.sha1.txt
sha1sum -c rkhunter-1.4.2.tar.gz.sha1.txt
1.2 Installation Rootkit Hunter
Once you have downloaded the latest version of Rootkit Hunder, issue the following commands as root to start the installation routine.
tar -zxvf rkhunter-1.4.2.tar.gz
cd rkhunter-1.4.2
./installer.sh --layout default --install
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --propupd
rm -Rf /usr/local/src/rkhunter*
Automate Rootkit Hunter
Rkhunter can be setup to run checks every day so that we always have up-to-date information about intrusions. This can be accomplished by creating a cronjob.
2.1 Create Cron File
Create the run-file in the following location (RHEL based distributions only):
nano -w /etc/cron.daily/rkhunter.sh
2.2 Insert Shell Script
The script below can be configured to send email notifications to a specified email id. The --versioncheck checks our threat definitions are up to date. The --update option updates our threat definitions, if required. The --cronjob option tells rkhunter to not require interactive key presses. You need to insert this short shell script to the rkhunter.sh file we have just created.
#!/bin/sh
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Scan Report (PutYourServerNameHere)' your@email.here
Important: Remember to change: (PutYourServerNameHere) AND your@email.here to a valid server name / e-mail address
2.3 Set Execute Permissions
Set execute permission on the file you have just created:
chmod 755 /etc/cron.daily/rkhunter.sh
The cron utility will run once daily, and if a threat is detected, the rkhunter command itself will email our user to alert them. If no problems were found, no email will be received.
Rootkit Hunter configuration
The configuration file for rkhunter can be found at:
/etc/rkhunter.conf
3.1 SSHD Root Logon
The parameter ALLOW_SSH_ROOT_USER tells rkhunter whether or not the root user is allowed to ssh into the system. This is unset by default in the rkhunter.conf file. Rkhunter will complain about this on every run. If you have disabled root login, you should set this parameter to "no".
ALLOW_SSH_ROOT_USER=no
If you need root login over SSH, you should change this parameter to "yes" so that rkhunter can check this and will mark this setting as valid:
ALLOW_SSH_ROOT_USER=yes
Security practices recommend disabling root login.
Update rkhunter
To check the currently installed version enter the following:
You can initiate a manual scan by issuing the following command:
/usr/local/bin/rkhunter -c
Which runs rkhunter in interactive mode. In other words, when it gets to the end of a particular scan, you need to press 'enter' to continue. If you want to "auto skip" interactive mode, add the -sk option at the end:
/usr/local/bin/rkhunter -c -sk
To scan the entire file system enter:
rkhunter --check
Your scan results should look as follows:
---------------------------- Scan results ----------------------------
MD5 scan
Scanned files: 0
Incorrect MD5 checksums: 0
File scan
Scanned files: 412
Possible infected files: 0
Application scan
Vulnerable applications: 0
Scanning took 39 seconds
rkhunter help
For more information and options please run the following command.
Rootkit Hunter (rkhunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits.
Rootkits are self-hiding toolkits secretly installed by a malicious intruder to allow that user to gain access to the server. Rootkit Hunter offers protection by comparing SHA-1 hashes of important files with known good ones in a online database as well as:
MD5 hash compare
Look for default files used by rootkits
Wrong file permissions for binaries
Look for suspected strings in LKM and KLD modules
Look for hidden files
Optional scan within plaintext and binary files
Installation
1.1 Download Rootkit Hunter
Begin by downloading the latest stable version of Rkhunter by using the wget command. The /usr/local/src folder is where you should put any programs (source or binary) you've downloaded before installing them.
Make sure to check for the latest available version here, and append the instructions below accordingly.
cd /usr/local/src
wget http://dfn.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.4.2.tar.gz
wget http://dfn.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.4.2.tar.gz.sha1.txt
sha1sum -c rkhunter-1.4.2.tar.gz.sha1.txt
1.2 Installation Rootkit Hunter
Once you have downloaded the latest version of Rootkit Hunder, issue the following commands as root to start the installation routine.
tar -zxvf rkhunter-1.4.2.tar.gz
cd rkhunter-1.4.2
./installer.sh --layout default --install
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --propupd
rm -Rf /usr/local/src/rkhunter*
Automate Rootkit Hunter
Rkhunter can be setup to run checks every day so that we always have up-to-date information about intrusions. This can be accomplished by creating a cronjob.
2.1 Create Cron File
Create the run-file in the following location (RHEL based distributions only):
nano -w /etc/cron.daily/rkhunter.sh
2.2 Insert Shell Script
The script below can be configured to send email notifications to a specified email id. The --versioncheck checks our threat definitions are up to date. The --update option updates our threat definitions, if required. The --cronjob option tells rkhunter to not require interactive key presses. You need to insert this short shell script to the rkhunter.sh file we have just created.
#!/bin/sh
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Scan Report (PutYourServerNameHere)' your@email.here
Important: Remember to change: (PutYourServerNameHere) AND your@email.here to a valid server name / e-mail address
2.3 Set Execute Permissions
Set execute permission on the file you have just created:
chmod 755 /etc/cron.daily/rkhunter.sh
The cron utility will run once daily, and if a threat is detected, the rkhunter command itself will email our user to alert them. If no problems were found, no email will be received.
Rootkit Hunter configuration
The configuration file for rkhunter can be found at:
/etc/rkhunter.conf
3.1 SSHD Root Logon
The parameter ALLOW_SSH_ROOT_USER tells rkhunter whether or not the root user is allowed to ssh into the system. This is unset by default in the rkhunter.conf file. Rkhunter will complain about this on every run. If you have disabled root login, you should set this parameter to "no".
ALLOW_SSH_ROOT_USER=no
If you need root login over SSH, you should change this parameter to "yes" so that rkhunter can check this and will mark this setting as valid:
ALLOW_SSH_ROOT_USER=yes
Security practices recommend disabling root login.
Update rkhunter
To check the currently installed version enter the following:
/usr/local/bin/rkhunter --versioncheck
Run the updater by issuing the following command:/usr/local/bin/rkhunter --update
With our database files refreshed, we need to tell rkhunter to check the current values and store them as known-good values:/usr/local/bin/rkhunter --propupd
Manual ScanYou can initiate a manual scan by issuing the following command:
/usr/local/bin/rkhunter -c
Which runs rkhunter in interactive mode. In other words, when it gets to the end of a particular scan, you need to press 'enter' to continue. If you want to "auto skip" interactive mode, add the -sk option at the end:
/usr/local/bin/rkhunter -c -sk
To scan the entire file system enter:
rkhunter --check
Your scan results should look as follows:
---------------------------- Scan results ----------------------------
MD5 scan
Scanned files: 0
Incorrect MD5 checksums: 0
File scan
Scanned files: 412
Possible infected files: 0
Application scan
Vulnerable applications: 0
Scanning took 39 seconds
rkhunter help
For more information and options please run the following command.
rkhunter --help
相关文章推荐
- ARM9:如何将linux2.6.38内核移植到TQ2440
- Linux 使用cp命令的错误
- centos7 ssh设置
- centos7安装wine1.8
- linux win1.8安装
- linux dnf命令安装
- linux每天习惯一个命令之who
- Linux知识工具大全
- Linux编程简介——静态链接库和动态链接库
- Linux账号密码过期会导致crontab作业不能执行
- linux下红黑树使用实例
- Linux驱动开发之主设备号找驱动,次设备号找设备
- CentOS 6.7安装配置Ansible
- linux下C 信号集处理函数
- centos6.x上编译安装crtmpserver
- Linux中断处理驱动程序编写【转】
- mysql在centos下的安装
- Linux下ifconfig的简易实现
- 基于tiny4412的Linux内核移植(支持device tree)(二)
- 利用Linux内核编译输出信息构建内核源码树