After reading the shocking sshd backdoor story, I decided to install rkhunter for rootkit detection. Here’s the configuration changes I’ve made.
In /etc/rkhunter.conf.local:
# To tell package manager that I use
PKGMGR=DPKG
# due to spurious warning
SCRIPTWHITELIST=/usr/bin/lwp-request
# To fix rkhunter --update
WEB_CMD=""
MIRRORS_MODE=0
UPDATE_MIRRORS=1
And in /etc/rkhunter.conf, I have commented out MAIL_CMD and MAIL-ON-WARNING. (You need to make sure that your email works on the servers, before this.)
Finally, make the rkhunter update properly by modifying /etc/default/rkhunter:
# Set this to yes to enable rkhunter daily runs
# (default: false)
CRON_DAILY_RUN="true"
# Set this to yes to enable rkhunter weekly database updates
# (default: false)
CRON_DB_UPDATE="true"
# Set this to yes to enable reports of weekly database updates
# (default: false)
DB_UPDATE_EMAIL="false"
# Set this to the email address where reports and run output should be sent
# (default: root)
REPORT_EMAIL="root"
# Set this to yes to enable automatic database updates
# (default: false)
APT_AUTOGEN="true"
Now, it’s time to perform actual analysis:
# Update database
sudo rkhunter --update
# Actual check
sudo rkhunter --check
.... <fixes the problems> ...
# Update file checksum. Future --chceck will compare with these values.
sudo rkhunter --propupd
If you have accidentally ran –propupd before –check, no worry. You can delete the file property database (which I’d rather call as signatures or fingerprints).
sudo rm /var/lib/rkhunter/db/rkhunter.dat
You can find the report at
sudo cat /var/log/rkhunter.log
Finally, verify your cronjob:
sudo /etc/cron.daily/rkhunter