Install and set up root kit hunter

 

IMPORTANT NOTE:  This document is based on CentOS, RedHat Linux 7.3 and Enterprise.  The concepts should be similar across operating systems, but the commands will very likely be different.  Also, never assume the directory structures exist in your system as written in the document.  Never blindly follow security instructions -- read, review, compare, apply as it fits your system.

Log into each server as root.

Do the following steps:

cd /usr/local/src
rm -fR rkhunter*
wget -N http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.3.6/rkhunter-1.3.6.tar.gz?use_mirror=voxel
gzip -d -c rkhunter-1.3.6.tar.gz | gtar xvf -
cd rkhunter-1.3.6
alias mv=mv
mv /usr/local/etc/rkhunter.conf /usr/local/etc/rkhunter.conf.backup
./installer.sh --layout /usr/local --install
sed -i 's/DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps"/DISABLE_TESTS="suspscan deleted_files"/' /usr/local/etc/rkhunter.conf
sed -i 's/ALLOW_SSH_ROOT_USER=no/ALLOW_SSH_ROOT_USER=without-password/' /usr/local/etc/rkhunter.conf
sed -i 's/#ATTRWHITELIST=\/bin\/ps/ATTRWHITELIST=\/bin\/ps/' /usr/local/etc/rkhunter.conf
sed -i 's/#WRITEWHITELIST=\/bin\/ps/WRITEWHITELIST=\/bin\/ps/' /usr/local/etc/rkhunter.conf
sed -i 's/#SCRIPTWHITELIST=\/sbin\/ifup/SCRIPTWHITELIST=\/sbin\/ifup/' /usr/local/etc/rkhunter.conf
sed -i 's/#SCRIPTWHITELIST=\/sbin\/ifdown/SCRIPTWHITELIST=\/sbin\/ifdown/' /usr/local/etc/rkhunter.conf
sed -i 's/#SCRIPTWHITELIST=\/usr\/bin\/groups/SCRIPTWHITELIST=\/usr\/bin\/groups/' /usr/local/etc/rkhunter.conf
sed -i 's/#ALLOWHIDDENDIR=\/dev\/.udev/ALLOWHIDDENDIR=\/dev\/.udev/' /usr/local/etc/rkhunter.conf
sed -i 's/#ALLOWHIDDENDIR=\/dev\/.udevdb/ALLOWHIDDENDIR=\/dev\/.udevdb/' /usr/local/etc/rkhunter.conf
sed -i 's/#ALLOWHIDDENFILE=\/usr\/sbin\/.sshd.hmac/ALLOWHIDDENFILE=\/usr\/sbin\/.sshd.hmac/' /usr/local/etc/rkhunter.conf
sed -i 's/#ALLOWHIDDENFILE=\/usr\/bin\/.ssh.hmac/ALLOWHIDDENFILE=\/usr\/bin\/.ssh.hmac/' /usr/local/etc/rkhunter.conf
sed -i 's/#ALLOWHIDDENFILE=\/usr\/bin\/.fipscheck.hmac/ALLOWHIDDENFILE=\/usr\/bin\/.fipscheck.hmac/' /usr/local/etc/rkhunter.conf
echo 'ALLOWHIDDENDIR=/dev/ida' >> /usr/local/etc/rkhunter.conf
sed -i 's/#SCRIPTWHITELIST=\/sbin\/ifdown/SCRIPTWHITELIST=\/sbin\/ifdown/' /usr/local/etc/rkhunter.conf
sed -i 's/#SCRIPTWHITELIST=\/usr\/bin\/groups/SCRIPTWHITELIST=\/usr\/bin\/groups/' /usr/local/etc/rkhunter.conf
echo 'SCRIPTWHITELIST=/usr/bin/ldd' >> /usr/local/etc/rkhunter.conf
echo 'SCRIPTWHITELIST=/usr/bin/whatis' >> /usr/local/etc/rkhunter.conf
echo 'SCRIPTWHITELIST=/usr/bin/GET' >> /usr/local/etc/rkhunter.conf
rkhunter --update
rkhunter --propupd
/usr/local/bin/rkhunter --cronjob -l --nomow --rwo

Handle any infections noted (on a fresh install on a fresh system there should be none).

Now set up root kit hunter to run in cron:

  1. crontab -e
  2. (scroll to bottom)
  3. o (lower case o to open a new line)
  4. ### Security check at 3:09 AM (ENTER)
    9 3 * * * (/usr/local/bin/rkhunter --cronjob -l --nomow --rwo | mail -s "[PUT IN MEANINGFUL SERVER NAME] rkhunter output" [VALID EMAIL ADDRESS])
  5. Shift ZZ to save

Please be sure to replace the [MEANINGFUL SERVER NAME] with a proper server name, and [VALID EMAIL ADDRESS] with a valid email address.

IMPORTANT NOTE:  This document and all linked document is being provided as a good will gesture to the Parallels H-Sphere community and to others who may benefit from its use.  Dynamic Net, Inc. makes no representations implied or explicit as to their value or warranty. Dynamic Net, Inc. will not be held liable for any damage resulting in the application of the steps and procedures noted.  If you feel uncomfortable at all about doing any of the steps, make a complete system backup and hire a third party like We Manage Servers to do the work for you.

 

 
 

Home ::  About :: Testimonials  ::  Articles ::  Employment ::  Contact
Services ::  Web Hosting ::  Managed Services :: Parallels H-Sphere  :: Monitoring :: ShopSite 
Resellers
::   Program ::  Compare Plans ::  Private Label
   
  :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
 Legal Notices - Acceptable Use Policy, Contract, Copyright, Terms of Service

See our
privacy statement for questions on how we use information gained by our site.

Managed Services provided by We Manage Servers