Rootkit Hunter for a CentOS server – Here’s how we set it up
Setting up Rootkit Hunter in a CentOS server is a common security practice.
This monitoring and analyzing tool, scan for rootkits, backdoors, and other possible exploits in a server.
That is why at Bobcares, we install Rootkit Hunter in servers as part of our Server Management Services.
To know how this tool secures your servers, read on.
What is the role of the Rootkit Hunter?
Let’s begin by getting an idea of Rootkit.
A rootkit is a computer program that gives users privileges on the entire system process. It never reveals its existence. Furthermore, rootkits are often seen with malware, viruses, etc.
Rootkit Hunter aka Rkhunter is an open-source scanner for Linux machines. This security tool scans hidden files, detects wrong permissions set on binaries, find suspicious strings in the kernel, and so on.
It checks if the server has any known vulnerability, and reports the problems. It sends an email with all the scan details. For instance, the result of a system security check appears as,
Here, the Rkhunter just reports the threats. This is where our Support Engineers have a role to play.
The Rkhunter identifies the threats in the server and writes it to the rkhunter.log, and our experts fix them. Hence our customers need not fear the security risks in their servers.
How to install Rkhunter on CentOS?
There are two ways to install the Rootkit Hunter on a CentOS server. That is, either form the EPEL repository or directly from the source.
Downloading the Rkhunter using the EPEL repository is relatively easy. But in most servers, this repository will be disabled.
Therefore, we install the tool manually from the source. And the steps we use are,
Initially, we download the latest version of the Rkhunter tool in the /tmp folder.
cd /tmp wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz
Then we extract the files and run the installation script.
tar -xvf rkhunter-1.4.6.tar.gz cd rkhunter-1.4.6 ./installer.sh --layout default --install
Next, we execute the Rkhunter updater to fill the database properties. For this, we use the commands,
/usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --propupd
Finally, we set up cronjob and email alerts to automate the operations of Rkhunter.
Common errors while installing Rkhunter
Let’s see a few errors in the rkhunter installation fixed by our Support Engineers.
Improper Rootkit Hunter installation
Recently, one of our customers got an error when he updated the Rkhunter to a higher version.
The error message appeared as,
rkhunter --update Default logfile will be used (/var/log/rkhunter.log). Default temporary directory will be used (/usr/local/rkhunter/lib/rkhunter/tmp). Default database directory will be used (/usr/local/rkhunter/lib/rkhunter/db). The internationalisation directory does not exist: /usr/local/rkhunter/lib/rkhunter/db/i18n.
On checking, our Support Engineers found that Rkhunter was using the older rkhunter.conf file even after updating to a newer version. This created the problem.
In order to solve the error, we removed the installation files completely. And then we reinstalled the new version.
This solved the problem.
Incorrect file permission
Similarly, another customer had set up a cron job that scans the file system every day and sent email notifications to the email address. However, it didn’t work correctly.
Then, our Support Engineers found that the problem was incorrect permission of the script file.
Therefore, we corrected the permission as below,
chmod 755 /etc/cron.daily/rkhunter.sh
This is how we fixed the error.
[Need assistance in securing your server using Rkhunter? – We’ll help you.]
In short, Rkhunter is a free scanner that helps to secure the server from unauthorized access. Today, we saw how our Support Engineers installed Rootkit Hunter on the CentOS server and fixed the related errors.