Install Rootkit Hunter (rkhunter) on Debian
Rootkit Hunter is a tool dedicated to rootkit detection. It send alerts when your system has been compromised.
This howto is tested on :
- Debian 5.0 Lenny
- Debian 6.0 Squeeze
- Debian 7.0 Wheezy
Setup
To quickly setup the tool, follow the commands bellow:
Install the software:
if [ -n "$(command apt-cache pkgnames libmd5-perl)" ]; then command apt-get -y install rkhunter libmd5-perl else command apt-get -y install rkhunter libdigest-md5-file-perl fi
Adjust the configuration to the system:
command sed -i -e 's|^[#]*\(ALLOWHIDDENDIR=/dev/.udev\)$|\1|' \ -e 's|^[#]*\(ALLOWHIDDENDIR=/dev/.static\)$|\1|' \ -e 's|^[#]*\(ALLOWHIDDENDIR=/dev/.initramfs\)$|\1|' \ "/etc/rkhunter.conf" if [ -e "/etc/.java" ]; then command sed -i -e 's|^[#]*\(ALLOWHIDDENDIR=/etc/.java\)$|\1|' \ "/etc/rkhunter.conf" fi if [ -x "/sbin/mdadm" ]; then command sed -i -e 's|^[#]*\(ALLOWHIDDENDIR=/dev/.mdadm\)$|\1|' \ "/etc/rkhunter.conf" fi if [ -x "/sbin/hdparm" ]; then command sed -i -e 's|^[#]*\(RTKT_FILE_WHITELIST="\)\(.*\)$|\1/etc/init.d/.depend.boot /etc/init.d/hdparm\2|' \ "/etc/rkhunter.conf" fi
if [ ! -e "/proc/modules" ]; then
command sed -i -e 's|^[#]*\(DISABLE_TESTS="\)\(.*\)$|\1os_specific \2|' \
"/etc/rkhunter.conf"
fi
command sed -i -e '0,/ALLOWHIDDENFILE/{//a\ ALLOWHIDDENFILE=/dev/.tmp-block-* ;}' \ "/etc/rkhunter.conf" if [ -e "/dev/shm/network/ifstate" ]; then command sed -i -e '0,/ALLOWDEVFILE/{//a\ ALLOWDEVFILE=/dev/shm/network/ifstate ;}' \ "/etc/rkhunter.conf" fi if [ -n "$(command apt-cache show ssh | command grep "5.1p1")" ]; then command sed -i -e 's|^[#]*\(APP_WHITELIST=\).*$|\1"exim:4.69 gpg:1.4.9 openssl:0.9.8g sshd:5.1p1"|' \ "/etc/rkhunter.conf" fi if [ -n "$(command apt-cache show ssh | command grep "5.5p1")" ]; then command sed -i -e 's|^[#]*\(APP_WHITELIST=\).*$|\1"gpg:1.4.10 openssl:0.9.8o sshd:5.5p1"|' \ "/etc/rkhunter.conf" fi SSH_ROOT_ALLOWED=no TEST_ROOT_ALLOWED=$(/bin/grep -i "PermitRootLogin.*yes" /etc/ssh/sshd_config) if [ -n "$TEST_ROOT_ALLOWED" ]; then SSH_ROOT_ALLOWED=yes fi command sed -i \ -e "s|^[#]*\\(ALLOW_SSH_ROOT_USER=\\).*$|\\1${SSH_ROOT_ALLOWED}|" \ "/etc/rkhunter.conf" command sed -i -e 's|^[#]*\(HASH_FUNC=\).*$|\1md5sum|' \ -e 's|^[#]*\(PKGMGR=\).*$|\1DPKG|' \ "/etc/rkhunter.conf" if [[ ! -e '/etc/apt/apt.conf.d/90rkhunter' ]]; then
command echo '// Update rkhunter file signatures databases after running dpkg. DPkg::Post-Invoke { "if [ -x /usr/bin/rkhunter ]; then if [ $(/usr/bin/rkhunter --help | /bin/grep "propupd" | /usr/bin/wc -l) -gt 0 ]; then /usr/bin/rkhunter --propupd; fi; fi"; };' > '/etc/apt/apt.conf.d/90rkhunter'
fi
[[ -e '/etc/default/rkhunter' ]] && command sed -i -e 's/^APT_AUTOGEN=.*$/APT_AUTOGEN="yes"/' '/etc/default/rkhunter' command rkhunter --propupdate command rkhunter --update
Check that the configuration is well ajusted:
command rkhunter --configfile /etc/rkhunter.conf --report-warnings-only --checkall
Setup details
Install the software:
if [ -n "$(command apt-cache pkgnames libmd5-perl)" ]; then command apt-get -y install rkhunter libmd5-perl else command apt-get -y install rkhunter libdigest-md5-file-perl fi
Ignore the false positives triggered by hidden system files and folders :
command sed -i -e 's|^[#]*\(ALLOWHIDDENDIR=/dev/.udev\)$|\1|' \ -e 's|^[#]*\(ALLOWHIDDENDIR=/dev/.static\)$|\1|' \ -e 's|^[#]*\(ALLOWHIDDENDIR=/dev/.initramfs\)$|\1|' \ "/etc/rkhunter.conf"
If Java is installed, ignore the corresponding folder :
if [ -e "/etc/.java" ]; then command sed -i -e 's|^[#]*\(ALLOWHIDDENDIR=/etc/.java\)$|\1|' \ "/etc/rkhunter.conf" fi
If the system use software RAID, ignore the corresponding folder :
if [ -x "/sbin/mdadm" ]; then command sed -i -e 's|^[#]*\(ALLOWHIDDENDIR=/dev/.mdadm\)$|\1|' \ "/etc/rkhunter.conf" fi
If the system use hdparm, ignore the corresponding files :
if [ -x "/sbin/hdparm" ]; then command sed -i -e 's|^[#]*\(RTKT_FILE_WHITELIST="\)\(.*\)$|\1/etc/init.d/.depend.boot /etc/init.d/hdparm\2|' \ "/etc/rkhunter.conf" fi
If the system miss the file /proc/module, disable the os_specific test:
if [ ! -e "/proc/modules" ]; then command sed -i -e 's|^[#]*\(DISABLE_TESTS="\)\(.*\)$|\1os_specific \2|' \ "/etc/rkhunter.conf" fi
Ignore temporary block files :
command sed -i -e '0,/ALLOWHIDDENFILE/{//a\ ALLOWHIDDENFILE=/dev/.tmp-block-* ;}' \ "/etc/rkhunter.conf"
Allow the ifstate device :
if [ -e "/dev/shm/network/ifstate" ]; then command sed -i -e '0,/ALLOWDEVFILE/{//a\ ALLOWDEVFILE=/dev/shm/network/ifstate ;}' \ "/etc/rkhunter.conf" fi
Debian apply security patches without upgrading softwares versions. Disable the alerts for such packages :
if [ -n "$(command apt-cache show ssh | command grep "5.1p1")" ]; then command sed -i -e 's|^[#]*\(APP_WHITELIST=\).*$|\1"exim:4.69 gpg:1.4.9 openssl:0.9.8g sshd:5.1p1"|' \ "/etc/rkhunter.conf" fi if [ -n "$(command apt-cache show ssh | command grep "5.5p1")" ]; then command sed -i -e 's|^[#]*\(APP_WHITELIST=\).*$|\1"gpg:1.4.10 openssl:0.9.8o sshd:5.5p1"|' \ "/etc/rkhunter.conf" fi
If the system allow root user access by SSH, disable the corresponding alert :
SSH_ROOT_ALLOWED=no TEST_ROOT_ALLOWED=$(/bin/grep -i "PermitRootLogin.*yes" /etc/ssh/sshd_config) if [ -n "$TEST_ROOT_ALLOWED" ]; then SSH_ROOT_ALLOWED=yes fi command sed -i \ -e "s|^[#]*\\(ALLOW_SSH_ROOT_USER=\\).*$|\\1${SSH_ROOT_ALLOWED}|" \ "/etc/rkhunter.conf"
Rootkit Hunter allow to check the systems files versus the Debian packages file checksums. This allow to detect unwanted changes in system files. Enable the check :
command sed -i -e 's|^[#]*\(HASH_FUNC=\).*$|\1md5sum|' \ -e 's|^[#]*\(PKGMGR=\).*$|\1DPKG|' \ "/etc/rkhunter.conf"
Setup the checksums database update after each apt-get use:
if [[ ! -e '/etc/apt/apt.conf.d/90rkhunter' ]]; then
command echo '// Update rkhunter file signatures databases after running dpkg. DPkg::Post-Invoke { "if [ -x /usr/bin/rkhunter ]; then if [ $(/usr/bin/rkhunter --help | /bin/grep "propupd" | /usr/bin/wc -l) -gt 0 ]; then /usr/bin/rkhunter --propupd; fi; fi"; };' > '/etc/apt/apt.conf.d/90rkhunter'
fi
[[ -e '/etc/default/rkhunter' ]] && command sed -i -e 's/^APT_AUTOGEN=.*$/APT_AUTOGEN="yes"/' '/etc/default/rkhunter'
Update the checksums database :
command rkhunter --propupdate
Update the threats database (the update is done weekly afterwards) :
command rkhunter --update
The command below is run daily. Its results are send by e-mail to the root user if a problem appear. Run it once to check that everything is setted up right :
command rkhunter --configfile /etc/rkhunter.conf --report-warnings-only --checkall
Thanks
- Thanks to Rootkit Hunter developers.