Ever wonder if that server, the one being pounded for SSH logins and strange Apache2 requests, is still a secure machine?
The package 'rkhunter' is a nice tool to create a baseline of a server which can later be used to compare system changes. rkhunter also checks for known viruses and rootkits, with or without that baseline. Let's install this onto a Debian 5 'Lenny' server; this should be the same steps on Debian 6, various Ubuntu releases, Red Hat, and the like.
First, hit up the rkhunter website, http://rkhunter.sourceforge.net/ , and download the file to your server. Unpack the file:
# tar -xvzf rkhunter-1.4.0.tar.gz
# cd rkhunter-1.4.0/
and install it:
# ./installer.sh --layout default --install
The 'default' layout will install rkhunter to /usr/local/bin/rkhunter
First, update the internal database of known malware:
# /usr/local/bin/rkhunter --update
Create a baseline for future scans:
# /usr/local/bin/rkhunter --propupd
This baseline file '/var/lib/rkhunter/db/rkhunter.dat' should be backed up on another server in case the compromised machine's version gets erased or modified.
Now, let's scan the machine:
# /usr/local/bin/rkhunter --check --report-warnings-only --skip-keypress --summary
Debian machines come back with warnings about some binaries having been replaced by scripts; this is normal on Debian (and Ubuntu):
/usr/sbin/adduser
/usr/bin/groups
/usr/bin/ldd
/bin/which
When done, rkhunter will spit out a summary which is worth reviewing (and possibly comparing with the results of a known-clean machine):
System checks summary
=====================
File properties checks...
Files checked: 132
Suspect files: 4
Rootkit checks...
Rootkits checked : 304
Possible rootkits: 0
Applications checks...
Applications checked: 5
Suspect applications: 4
The system checks took: 8 minutes and 10 seconds
All results have been written to the log file (/var/log/rkhunter.log)
More information and options with:
# /usr/local/bin/rkhunter --help
The package 'rkhunter' is a nice tool to create a baseline of a server which can later be used to compare system changes. rkhunter also checks for known viruses and rootkits, with or without that baseline. Let's install this onto a Debian 5 'Lenny' server; this should be the same steps on Debian 6, various Ubuntu releases, Red Hat, and the like.
First, hit up the rkhunter website, http://rkhunter.sourceforge.net/ , and download the file to your server. Unpack the file:
# tar -xvzf rkhunter-1.4.0.tar.gz
# cd rkhunter-1.4.0/
and install it:
# ./installer.sh --layout default --install
The 'default' layout will install rkhunter to /usr/local/bin/rkhunter
First, update the internal database of known malware:
# /usr/local/bin/rkhunter --update
Create a baseline for future scans:
# /usr/local/bin/rkhunter --propupd
This baseline file '/var/lib/rkhunter/db/rkhunter.dat' should be backed up on another server in case the compromised machine's version gets erased or modified.
Now, let's scan the machine:
# /usr/local/bin/rkhunter --check --report-warnings-only --skip-keypress --summary
Debian machines come back with warnings about some binaries having been replaced by scripts; this is normal on Debian (and Ubuntu):
/usr/sbin/adduser
/usr/bin/groups
/usr/bin/ldd
/bin/which
When done, rkhunter will spit out a summary which is worth reviewing (and possibly comparing with the results of a known-clean machine):
System checks summary
=====================
File properties checks...
Files checked: 132
Suspect files: 4
Rootkit checks...
Rootkits checked : 304
Possible rootkits: 0
Applications checks...
Applications checked: 5
Suspect applications: 4
The system checks took: 8 minutes and 10 seconds
All results have been written to the log file (/var/log/rkhunter.log)
More information and options with:
# /usr/local/bin/rkhunter --help