ManagedCloud Servers

High performance handled and monitored by us 24/7/365. A complete solution to provide you with our in house expertise 24/7 tailored to your specific needs. We'll setup a bespoke server for your site using the latest tehnologies so you can get the most out of your hardware and get your website loading quickly and reliably. Find out more..

cPanelCloud Servers

Recommended - High performance cloud servers with no technical knowledge required. If you're hosting multiple websites already and you're looking to consolidate, or if you're looking to isolate yourself from the shared hosting environment but you don't have the time or knoweldge to manage a server, then the Managed cPanel Servers are for you. Find out more..

UnmanagedCloud Servers

Our unmanaged range gives you complete control at rock bottom prices and our cloud platform boasts super fast multipath 40Gb/s network, the latest Intel Xeon V3 CPUs and enterprise grade redundant SSDs. If you're a sysadmin look no further, we offer some of the best specification to price ratio servers available. Find out more..

Want your very own server? Get our 1GB memory, Xeon V4, 20GB SSD VPS for £10.00 / month.

View Plans

How To Install And Use rkhunter On Ubuntu 14.04

Introduction

If you are using a Linux system and think that your system is 100% secure then you are wrong. Linux is still vulnerable to malware, one type of malware that you might get on Linux is a rookit.

A rootkit is a collection of malicious computer software, designed to enable access to a computer or area of its software that would not otherwise be allowed. At the same time, rookit masking its existence or the existence of other software.

Rootkit installation usually automated by leveraging a software vulnerability. An attacker can install a rootkit manually when they break-in into a system and gain root or administrator access.

Techtarget definition of rookit is :

a collection of tools (programs) that enable administrator-level access to a computer or computer network. Typically, a cracker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and, possibly, other machines on the network. In this tutorial we'll learn how-to install and configure rkhunter on Ubuntu 14.04 Trusty Tahr so that we can scan our system for potential rootkits.

Install rkhunter

We will install rkhunter from the ubuntu repository instead of using rkhunter archive file from rkhunter website. We will update apt metadata and then install rkhunter, we can use commands below:

    $ sudo apt-get update
    $ sudo apt-get -y --no-install-recommends install rkhunter

We use -no-install-recommends options of apt so rkhunter installed in minimalist way. One of the recommended packages for rkhunter is postfix as a mail server. We assume that we already configured the server to relay mail sending to another mail server.

Updating rkhunter Data Files

After installing rkhunter we need to update the database of rkhunter by running the command below :

    $ sudo rkhunter --update
    [ Rootkit Hunter version 1.4.0 ]

Checking rkhunter data files... Checking file mirrors.dat [ No update ] Checking file programs_bad.dat [ Updated ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ No update ] Checking file i18n/de [ Updated ] Checking file i18n/en [ Updated ] Checking file i18n/tr [ Updated ] Checking file i18n/tr.utf8 [ Updated ] Checking file i18n/zh [ No update ] Checking file i18n/zh.utf8 [ No update ]

Rootkit Scanning Using rkhunter

After updating rkhunter data file we will run rkhunter for the first time by running command below :

    $ sudo rkhunter -c
rkhunter will run using default configuration, the output for the command above is quite long, you will need to press enter several times to continue the scanning process.

Configure Email For Warnings

We can configure rkhunter to send email to us only when there is warning on scanning. By sending email only when there is a warning we'll make sure that we will take attention to the email compared to getting email for every scan.

To configure email on warning, let's open

    /etc/rkhunter.conf

MAIL-ON-WARNING=""

Put your email address between double quotes, e.g:

    MAIL-ON-WARNING="youremail@yourdomain.com"

We can add multiple email address separated by comma or you can also put a group address, so multiple people will get the email. Using email groups will make sure more than one person sees the email and at least one of the team members will take action for the warning.

After changing configuration, we can check rkhunter configuration using command below:

    $ sudo rkhunter -C
    Command cannot be found: MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"

If you get no output then your configuration is OK, but if you get output similar to above it means that there is error on your configuration file. The error message above said command could not be found, the command that cannot be found here is mail. We will install msmtp and create symlink to msmtp binary as mail.

To install msmtp we can run command below:

    $ sudo apt-get install msmtp

We then create symlink for mail program to msmtp using command below :

    $ sudo ln -sf /usr/bin/msmtp /usr/sbin/mail

You can take a look at this additional tutorial on Hostpresto! entitled How to Send Email from the Command Line with MSMTP and Mutt to learn how-to configure msmtp to send email properly. If the configuration is correct we should not get any output when running $ sudo rkhunter -C

Summary

In this tutorial we explained how-to install rkhunter to scan for rootkits on our server. We also explained how to scan and configure email for warnings. Using rkhunter we add an additional security measure to protect our server. We hope you find this tutorial useful, thank you.

Want your very own server? Get our 1GB memory, Xeon V4, 20GB SSD VPS for £10.00 / month.

View Plans