Tutorial

How To Use RKHunter to Guard Against Rootkits on an Ubuntu VPS

Published on January 1, 2014
How To Use RKHunter to Guard Against Rootkits on an Ubuntu VPS

Status: Deprecated

This article covers a version of Ubuntu that is no longer supported. If you are currently operate a server running Ubuntu 12.04, we highly recommend upgrading or migrating to a supported version of Ubuntu:

Reason: Ubuntu 12.04 reached end of life (EOL) on April 28, 2017 and no longer receives security patches or updates. This guide is no longer maintained.

See Instead: This guide might still be useful as a reference, but may not work on other Ubuntu releases. If available, we strongly recommend using a guide written for the version of Ubuntu you are using. You can use the search functionality at the top of the page to find a more recent version.

Introduction


Exposing any computer to the internet is in some ways risky. There are many ways that your server can be compromised or attacked by remote systems and malicious software, and it is an ongoing and proactive process to defend yourself against potential threats.

One potential concern is rootkits. Rootkits are software secretly installed by a malicious intruder to allow that user continued access to the server once security is breached. This is an extremely dangerous problem, because even after the entry vector that the user originally used to gain access is fixed, they can continue to enter the server using the rootkit they installed.

One tool that can help you protect your system from these kinds of problems is rkhunter. This software checks your system against a database of known rootkits. Additionally, it can check other system files to make sure they are in line with expected properties and values.

In this guide, we will install and configure rkhunter to protect our Ubuntu 12.04 VPS.

Install RKHunter from Source


Because the Ubuntu repositories have an outdated version of rkhunter which contains an unpatched bug, we will be installing from source so that our program will behave properly.

Change to your home directory and download the files. As of this writing, 1.4.0 is the latest version, but you can go to the project’s home page to see if a newer version is available:

cd
wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz

Once it has finished downloaded, extract the files and enter the resulting directory:

tar xzvf rkhunter*
cd rkhunter*

Inside, we should see a “files” directory, and an installer script. We will use this to install our program. Specify the layout to install it in the /usr directory so that it will be in our default path:

sudo ./installer.sh --layout /usr --install

This will install the software and the configuration files.

Now, we have rkhunter installed, but we still need some utilities to use all of its functionality. We can get these from the Ubuntu repositories:

sudo apt-get update
sudo apt-get install binutils libreadline5 libruby1.8 ruby ruby1.8 ssl-cert unhide.rb mailutils

You will be asked some questions about the mail server setup. You can configure this if you’d like, but for the sake of brevity, we will not be configuring a web-facing mail server. Select “Local only” to follow our example.

If you are installing locally, you can name the system mail anything. Otherwise, make sure to use a fully qualified domain name.

Now, our software is installed and ready for testing and configuration.

Initial Test Runs


Before we begin configuration, we will do a few test runs with the default settings to get an idea of how the software operates and set a baseline against which to guide our modifications.

The first thing we should do is ensure that our rkhunter version is up-to-date. If you did get the latest tarball from the site, it shouldn’t need to do anything, but it’s best to check anyways:

sudo rkhunter --versioncheck

[ Rootkit Hunter version 1.4.0 ]

Checking rkhunter version...
  This version  : 1.4.0
  Latest version: 1.4.0

Next, we need to perform a similar option to update our data files. These files contain information that rkhunter checks against to determine if a file or behavior is suspicious or not. Keeping these files current is essential for accurately assessing your system:

sudo rkhunter --update

With our database files refreshed, we can set our baseline file properties so that rkhunter can alert us if any of the essential configuration files it tracks are altered. We need to tell rkhunter to check the current values and store them as known-good values:

sudo rkhunter --propupd

File created: searched for 167 files, found 136

Finally, we are ready to perform our initial run. This will produce some warnings. This is expected behavior, because rkhunter is configured to be generic and Ubuntu diverges from the expected defaults in some places. We will tell rkhunter about these afterwards:

sudo rkhunter -c --enable all --disable none

It will run one section of tests and then ask you to press enter to continue. You can review the warnings that were produced as you go, but there will be more detailed information in the log afterwards. Press enter until all of the tests are run.

Now, we should go through the logs and check out all of the warnings that were produced:

sudo nano /var/log/rkhunter.log

Search the file for the word “Warning”. You will see a number of different warnings that are caused by different aspects of our filesystem. We will configure rkhunter to ignore the ones we know are harmless in the next section.

Some of the changes, like changes to the passwd file, are only showing up because they have been changed by the helper utilities we downloaded with apt. The timestamps on these files are more recent than the rkhunter database files. They will disappear on the next run.

Another alternative to checking the log is to have rkhunter print out only warnings to the screen, instead of all checks:

sudo rkhunter -c --enable all --disable none --rwo

You can then copy and paste this information somewhere so we can implement the changes in our configuration file.

Configure RKHunter Based on Known-Good Values


Now that we have some info on how rkhunter is viewing our system, we can tell it which files and applications to ignore or handle differently in order to avoid false-positives.

Begin by opening the rkhunter configuration file with root privileges:

sudo nano /etc/rkhunter.conf

Set Up Mail Notifications


The first thing you can do is set up email notifications if you want to receive those when rkhunter hits a warning. You can do this here:

<pre> MAIL-ON-WARNING=“<span class=“highlight”>your_user@domain.com</span>” </pre>

If you set up local mail, you can put this to receive mail when you log in as root:

MAIL-ON-WARNING="root@localhost"

Note, that the mail programs were configured when you installed them, so whether this functions correctly depends on what your choices were.

A related configuration option specifies the program and options for sending the mail:

MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"

Whitelist Known Script Files


Next, we will fix the warnings that told us that some of the binary packages on the system have been replaced by scripts. Some distributions (Ubuntu included) use scripted versions of files instead of their binary counterparts.

The four warnings I received were all examples of this. We can set a SCRIPTWHITELIST parameter to tell rkhunter that these are expected to be script files:

SCRIPTWHITELIST="/usr/sbin/adduser"
SCRIPTWHITELIST="/usr/bin/ldd"
SCRIPTWHITELIST="/usr/bin/unhide.rb"
SCRIPTWHITELIST="/bin/which"

This will prevent these files from triggering false positives on all subsequent checks. Note that these whitelists are specific for certain tests, so we are only flagging that we know these files are not supposed to be binary. Other changes can still trigger warnings, which is what we want.

Whitelist Files in the /dev Directory


Certain files in the /dev directory trigger a warning for rkhunter. These are all implementation details that do not actually point to anything wrong. They are supposed to be there and are supported by the distribution.

There are three warning types that we need to deal with. The first one is was a warning that there was a “suspicious file” in the directory. We will specifically allow this file by placing this line in the configuration:

ALLOWDEVFILE="/dev/.udev/rules.d/root.rules"

The next warning we must deal with is that there is a hidden directory in /dev. This is also expected. It is the directory that contained the previous file:

ALLOWHIDDENDIR="/dev/.udev"

The last warning is for hidden files. These are basic configuration files that are kept in this directory so that the utilities can access them regardless of the partitioning scheme and mount status.

Add these lines to allow these files to exist:

ALLOWHIDDENFILE="/dev/.blkid.tab"
ALLOWHIDDENFILE="/dev/.blkid.tab.old"
ALLOWHIDDENFILE="/dev/.initramfs"

Allow Root SSH Login


The next step is simply an assertion check. When you run rkhunter, it checks a parameter in its configuration file and compares it to the value in the SSHD configuration file.

This option specifies whether the root user can log in using SSH. Many security practices recommend disabling root login. If you have disabled root login, you should leave this parameter as “no”.

If you need root login over SSH, you should change this parameter to “yes” so that rkhunter can check this and will mark this setting as valid:

ALLOW_SSH_ROOT_USER=yes

Save and close the file when you are finished.

Check the Configuration


Now that we have configured rkhunter, you need to validate the configuration and check to see that everything is now working as expected.

The first step in this is checking that the configuration file itself is valid. You can run a test on it to see if rkhunter will accept all of the values that you’ve assigned:

sudo rkhunter -C

If this gives you any output back, you need to revisit the configuration again to adjust your parameters.

After you’ve gotten the configuration file in good working order, you can run the test again to see if there are any warnings.

sudo rkhunter -c --enable all --disable none --rwo

This should produce one warning, because our rkhunter configuration itself has been modified:

Warning: The file properties have changed:
         File: /etc/rkhunter.conf
         Current hash: fa8ad80a18100e669be507e69d0cbb88348fc07d
         Stored hash : f9015108a2f6d8044126351cf16235c55993ff7a
         Current inode: 2098189    Stored inode: 2100424
         Current size: 37607    Stored size: 37359
         Current file modification time: 1388443781 (30-Dec-2013 17:49:41)
         Stored file modification time : 1388442019 (30-Dec-2013 17:20:19)

We should have updated the file properties again after modifying this file. Do that now by typing:

sudo rkhunter --propupd

After it is finished, you can run the check command again and see that no errors are produced.

Forgetting to update the file properties gives you an option to check the mail notifications if you configured that. Since we configured local mail, we can access the messages by checking the root mailbox:

sudo mail

You should see a message that you can access by the number in the second column.

You can exit the mail screen by typing:

quit

If you set up remote email, you can check that too. It may be in your spam folder, so look there if you have not received it in your regular inbox.

Set Up a Cron Job to Automate Checks


Now that you have configured rkhunter and verified that it is operating correctly, it is probably a good idea to automate the system. We can set up rkhunter to run checks every day so that we have up-to-date information about intrusions.

This is most useful if you can have it email your regular email address, so that you are more likely to check it. Change the MAIL-ON-WARNING parameter in the /etc/rkhunter.conf file to your regular email if you haven’t done so already.

We want to run rkhunter with root privileges, as we have been doing, so we should add it to the root user’s crontab. It is important to remember not to add it to the system crontab, because this could be replaced in an upgrade and wipe out your changes.

First, we can see if the root user already has a crontab by typing:

sudo crontab -l

If this returns a crontab, then it is best to back up the file in case we make a mistake. You can do that by typing:

sudo crontab -l > crontab.bak

Afterwards, we can edit the root user’s crontab by issuing this command:

sudo crontab -e

If this is the first time you are running this command, it will ask you to choose the editor you would like to use. A safe choice is nano, if you do not have a preference for any of the other editors.

Afterwards, you will be taken into your editor and your file will be pre-populated with some comments explaining how to write the crontab.

There are a lot of complex ways to write cron specifications that can run commands at many intervals. For our purposes, we are just going to have to decide what time each day to run the command. As with most services, running it at night is usually optimal:

The format we will use is minutes hours * * * command. The hours should be written in 24 hour format (for example, 15 for 3pm). The command we want to use is /usr/bin/rkhunter --cronjob --update --quiet.

So if we want to run this command at 4:15am, we can type at the bottom of the file:

15 04 * * * /usr/bin/rkhunter --cronjob --update --quiet

The --cronjob option tells rkhunter to not output in a colored format and to not require interactive key presses. The update option ensures that our definitions are up-to-date. The quiet option suppresses all output.

The cron utility will run this command at 4:15am, and if there is any output, the rkhunter command itself will email our user to alert them. If no problems were found, no email will be received.

Conclusion


Now that you have rkhunter installed, configured, and automated, it should do the work for you for the most part. Make sure that if you are relying on email alerts, that you check them regularly and respond to any warnings that are produced.

It is also helpful to remember that when you make software changes on your computer, rkhunter may report differences in its next run. It is recommended that after you make changes, at least run sudo rkhunter --propupd to update rkhunter to the new file properties.

Because this software references known-good values and system states that you have allowed, it is best to install and configure this directly after you have configured most of the software for your installation. Doing so before configuring your software will result in a lot of false positives, while waiting too long can result in intrusion and not knowing if you are whitelisting bad files.

<div class=“author”>By Justin Ellingwood</div>

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
10 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Thank you for the best tutorial I have ever read. It has made my job so much easier.

Just had one question:- I am getting the following warnings which I know are false positive but unable to resolve them even after changing the config file.

Warning: The following processes are using deleted files: Process: /usr/sbin/mysqld PID: 1177 File: /tmp/ibMJVEav Process: /usr/lib/apache2/mpm-prefork/apache2 PID: 1951 File: /run/apache2/ssl_mutex Process: /usr/lib/apache2/mpm-prefork/apache2 PID: 1968 File: /run/apache2/ssl_mutex Process: /usr/lib/apache2/mpm-prefork/apache2 PID: 1993 File: /run/apache2/ssl_mutex Process: /usr/lib/apache2/mpm-prefork/apache2 PID: 2020 File: /run/apache2/ssl_mutex Process: /usr/lib/apache2/mpm-prefork/apache2 PID: 2023 File: /run/apache2/ssl_mutex Process: /usr/lib/apache2/mpm-prefork/apache2 PID: 2025 File: /run/apache2/ssl_mutex Process: /usr/lib/apache2/mpm-prefork/apache2 PID: 2026 File: /run/apache2/ssl_mutex

Config File settings are :- ALLOWPROCDELFILE=/usr/sbin/mysqld:/tmp/ib* ALLOWPROCDELFILE=/sbin/init:/var/log/upstart/dbus* ALLOWPROCDELFILE=“/usr/lib/apache2/mpm-prefork/apache2:/var/run/apache2/ssl_mutex”

Yes very good tutorial thanks.

I also receive the ‘deleted files’ error for apache and mysql

     Process: /usr/sbin/mysqld    PID: 1207    File: /tmp/ibFoy0qD
     Process: /usr/sbin/apache2    PID: 1375    File: /tmp/.ZendSem.jzYtJm

Any further insights into these kind of warnings would be helpful , is it save practice to disable the looking for deleted files?

root@www:~/rkhunter-1.4.2# apt-get install binutils libreadline5 libruby1.8 ruby ruby1.8 ssl-cert unhide.rb mailutils Reading package lists… Done Building dependency tree
Reading state information… Done Package ruby1.8 is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source However the following packages replace it: ruby

E: Unable to locate package libruby1.8 E: Couldn’t find any package by regex ‘libruby1.8’ E: Package ‘ruby1.8’ has no installation candidate

Great tuto !! Thx !

Running the

sudo rkhunter --versioncheck

[ Rootkit Hunter version 1.4.0 ]

Checking rkhunter version… This version : 1.4.0 Latest version: 1.4.2 Update available

The --update would update the database, I am wondering if manually removing old and adding the latest will improve anything. I haven’t had any new updates show up in awhile.

Great article, thanks! Just for info, download link at time of writing is http://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz/download

This comment has been deleted

    This comment has been deleted

      yum update -y 2 cd /usr/local/src 3 wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Frkhunter%2F&ts=1436462452&use_mirror=iweb 4 tar -zxvf rkhunter-1.4.2.tar.gz 5 cd rkhunter-1.4.2 6 ./installer.sh --layout default --install 7 rm -Rf /usr/local/src/rkhunter*

      tip to check logfile:

      /var/log# grep "Warning" ./rkhunter.log
      

      Try DigitalOcean for free

      Click below to sign up and get $200 of credit to try our products over 60 days!

      Sign up

      Join the Tech Talk
      Success! Thank you! Please check your email for further details.

      Please complete your information!

      Become a contributor for community

      Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

      DigitalOcean Documentation

      Full documentation for every DigitalOcean product.

      Resources for startups and SMBs

      The Wave has everything you need to know about building a business, from raising funding to marketing your product.

      Get our newsletter

      Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

      New accounts only. By submitting your email you agree to our Privacy Policy

      The developer cloud

      Scale up as you grow — whether you're running one virtual machine or ten thousand.

      Get started for free

      Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

      *This promotional offer applies to new accounts only.