Installing rkhunter on NethServer



From shell;
cd /tmp
md5sum rkhunter-1.4.2.tar.gz
Compare result to sourceforge.
tar xvfz rkhunter-1.4.2.tar.gz
cd rkhunter-1.4.2
./ --layout default --install
cd /
Just because.
/usr/local/bin/rkhunter --update
Not really necessary if run immediately after download.
/usr/local/bin/rkhunter -c
This runs rkhunter interactively, afterwards you can look through the rkhunter log since the warnings are explained in the log.
Obviously, rkhunter has lots of configurable options but that’a a little beyond the scope of this quick, fun run.

My results;
System checks summary

File properties checks…
Required commands check failed
Files checked: 135
Suspect files: 5

Rootkit checks…
Rootkits checked : 378
Possible rootkits: 0

Applications checks…
Applications checked: 5
Suspect applications: 1

The system checks took: 1 minute and 16 seconds

Another compromise check tool is chrootkit.

(todd_firkins) #2

I ran all the commands exactly as posted and it worked just as described. Thanks!

(Stefano) #3

Rkhunter is known to have many false positive… use it "in a smart way"
BTW, AFAIR, there’s a rpm too, and that’s the way to go (google will tell you more)

(Alessio Fattorini) #4

Thanks man good work! :smile:
Can I suggest to edit the title in “Installing rkunter on NethServer” ?
As @zamboni already said, can you try the rpm way? Could be cool! So we can edit the howto properly :wink:


I didn’t bother with rpm because the ones that I’ve seen were 1.4.0 and it’s so easy to pull the latest from sourceforge that I haven’t bothered to see if the rpm is backported.

(Jonathan Dumont) #6

before using this script it mightbe usefull to finish your NethServer installation and consider it being in production

after that you should run to determine what is normal and not

# rkhunter --propupd

you could also receive email directly from rkhunter by giving your email into /etc/rkhunter


most of the time you will need to IGNORE .udev Warning, to do that find into /etc/rkhunter those further lines are an exemples and mightbe not fully suitable for your configuration.



##Now if you want to add CHRootKit and LogWatch and being noticed by email follow those line :smile:

###to install chkrootkit from EPEL

# yum --enablerepo=epel -y install chkrootkit

###Install logwatch

# yum install logwatch

###and receiving all those logs by email

touch /etc/cron.daily/report-log
chmod a+x /etc/cron.daily/report-log
vi /etc/cron.daily/report-log

with this report-log script

date=$(date +"%m-%d-%Y")
**email="your email here"**

## rkhunter
rkhunter --update
rkhunter --checkall --cronjob --report-warnings-only > rkhunter-check-$date.log

## chkrootkit
chkrootkit | grep -v not > chkrootkit-$date.log

## logwatch
logwatch --output html --detail High --range All > logwatch-all-$date.html
logwatch --output html --detail High --range Today > logwatch-today-$date.html
logwatch --output html --detail High --range Yesterday > logwatch-yesterday-$date.html

## send them
echo "RKHunter, CHKRootkit and LogWatch Logs for $date" | mutt -s "log $date" -a "rkhunter-check-$date.log" -a "chkrootkit-$date.log" -a "logwatch-all-$date.html" -a "logwatch-today-$date.html" -a "logwatch-yesterday-$date.html" -- $email

\## remote those logs
rm -f rkhunter-check-$date.log chkrootkit-$date.log logwatch-*.html

(Jonathan Dumont) #7

To avoid all the ALLOWDEVFILE= configuration part
it’s also possible to install RKHunter from EPEL

# yum --enablerepo=epel -y install rkhunter

if you like me and when you do

# whereis rkhunter


# hash -t rkhunter

you still having /usr/local/bin/rkhunter
just do

# hash -p /usr/bin/rkhunter rkhunter

(Stefano) #8

@all: please be aware that RKHunter is (well) known to be prone to false positive… use it smartly :wink: