Vicky’s server guides

Rkhunter is an intrustion detection program for Linux OS which has been widely used by many server administrators. Sometimes there is a false alarm but most of the time you need to check the problematic areas Rkhunter points out.

NEW: Rkhunter v.1.3.2. is available and this how-to is updated.

Use these commands to install it:

wget http://kent.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.2.tar.gz
tar xvfz rkhunter*
cd rkhunter-1.3.2
./installer.sh –layout oldschool –install

note the installation difference - my command uses old format for installing rkhunter. If you do not have rkhunter installed or want it to be installed elsewhere follow the install script instructions.

Also, you will need to edit the config file because it is different than previous version. Do so by using this command:

 cp /etc/rkhunter.conf /usr/local/etc/rkhunter.conf

It worked for me. Inspect the config file before usage.

After successful installation you can remove this rkhunter-1.3.2 directory.

At this time it is a good idea to create a cron job task to run Rkhunter regularly with email to root mailbox.

crontab -e

and insert these lines in there:

10 0 * * * /usr/local/bin/rkhunter –-update > /dev/null 2>&1 # updates Rkhunter’s database
25 0 * * * /usr/local/bin/rkhunter -c –-nocolors –-cronjob –-report-mode –-createlogfile –-skip-keypress –-quiet # runs it in cronjob mode

That’s it! Enjoy this fine piece of software

 Here is the changelog for version 1.3.2: (date is in European format)

 * 1.3.2 (27/02/2008)

 New:
 - Added support for the socklog and rsyslog (syslog) daemons.
 - Added support for IRIX/IRIX64 systems.
 - If the user wishes to force RKH to use the ’stat’ or ‘readlink’
   supplied scripts, then this can be set in the configuration file.
   The options STAT_CMD and READLINK_CMD, respectively, can be given
   the value of BUILTIN to achieve this. For the ’stat’ script, perl
   must be present.

 Changes:
 - Improved the ‘unsupported language’ error message so that the user is
   told exactly what command to run in order to see the list of supported
   languages. Added a similar comment in the configuration file.
 - Errors from applications during the application version check are mostly
   now ignored. Improved checking that a valid version has been found.
 - The ALLOW_SSH_ROOT_USER and ALLOW_SSH_PROT_V1 options in the configuration
   file can now be set to ‘unset’ and ‘2′ respectively. These values indicate
   that the SSH configuration file have no specific value set for the
   corresponding SSH option (’PermitRootLogin’ and ‘Protocol’). RKH will show
   the test result in green and as ‘Not set’.
 - Application names, in the application check, can now be completely
   whitelisted. Previously only specific versions were whitelisted, and
   RKH had to run the application to find the version. By whitelisting
   the application completely, RKH does not have to run it.
 - The use of the ‘pflog’ network interface is now checked for on all *BSD
   systems (not just OpenBSD).
 - Allow i18n language filenames to contain characters other than just letters.

 Bugfixes:
 - Scanning the /dev directory in LAZY mode corrupted the pathname being
   tested. Also RKH now handles filenames (in /dev) with spaces correctly.
 - During the test of files in /dev, MAKEDEV was not being automatically
   whitelisted if it exists as an actual file (not a symlink).
 - Ensure the suspscan test removes any files it creates.
 - The MAIL-ON-WARNING configuration file option and the –no-verbose-logging
   command-line option, are now only logged if the system is being checked.
 - Root equivalent and passwordless account names are now shown correctly.
   Previously, names which contained spaces, for example if the account had
   been manually commented out, were only shown up to the first space character.
 - Whitelisted passwordless account names are now logged.
 - Suspscan warnings were being ignored by the rkhunter summary and return code.
 - Corrected obtaining process names in Solaris for the network ports and
   deleted files tests. Previously they did not report the name correctly, if
   at all.
 - Use of the ‘–debug’ option with the Korn shell was not working correctly.
 - Reset the SIGPIPE handler to its default to avoid pipe output errors.
 - Language files may contain backticks. These are now escaped during
   processing.
 - Unset the MANPATH in the spec file to allow the RPM to be built on
   OpenSuSE systems.
 - The hidden files/directories test would try and run even if no ‘file’
   command was present.
 - Cater for *BSD systems using the fdesc/fdescfs filesystem on /dev/fd.