Installation of RKHunter
rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing MD5 hashes of important files with known good ones in online database, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD
Following are the Installation Steps of RKHUNTER
#wget -c http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
#tar -zxvf rkhunter-1.2.7.tar.gz
#cd rkhunter-1.2.7.tar.gz
#./installer.sh
Now you can run a test scan with the following command:
#/usr/local/bin/rkhunter -c
How to setup a daily scan report?
#vi /etc/cron.daily/rkhunter.sh
add the following replacing your email address:
===
#!/bin/bash
(/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "Daily Rkhunter Scan Report" email@domain.com)
===
#chmod +x /etc/cron.daily/rkhunter.sh
I just got a false positive!! What do i do?
False positives are warnings which indicates there is a problem, but aren't really a problem. Example: some Linux distro updated a few common used binaries like `ls` and `ps`. You (as a good sysadmin) update the new packages and run (ofcourse) daily Rootkit Hunter. Rootkit Hunter isn't yet aware of these new files and while scanning it resports some "bad" files. In this case we have a false positive. You could always have your datacenter or a system administrator check out the server to verify that it is not compromised.
0 comments:
Post a Comment