Rkhunter (aka Rootkit Hunter) is a security auditing tool for Unix & Linux severs. It can help you to detect rootkits, backdoors & exploits running on your servers, it uses MD5 hashes to identify possible modifications on important system files & directories, also inspects file permissions , hidden files and directories, suspicious directory and file names and kernel modules, among many many things. It’s a very essential tool for all those who want to audit their systems.
Install Rkhunter on cPanel servers
cd /usr wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz tar -zxvf rkhunter-1.4.2.tar.gz cd rkhunter-1.4.2 ./installer.sh --layout default --install
Update Rkhunter Database
/usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --propupd
Run rkhunter for the first time
rkhunter -c
I fyou want to add a cronjob to execute Rkhunter on a daily basis just create this file:
nano -w /etc/cron.daily/rkhunter.sh
Paste this text inside:
#!/bin/sh ( /usr/local/bin/rkhunter --versioncheck /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --cronjob --report-warnings-only ) | /bin/mail -s 'rkhunter Daily Run (Nombre del server)' [email protected]
Set file permissions:
chmod 700 /etc/cron.daily/rkhunter.sh
Conclusion
Rkhunter is a very powerful tool for security audits, however many times it will show false positives, that’s why it’s not the only security tool you should use, in order to keep your servers secure, you must investigate and use other useful tools like OSSEC, Lynis, Tripwire, Nmap and many others.
Further reading: Rkhunter Website