Rootkit Hunter
With the current onslaught of hacking and cracking about, I’d like to write a few articles about basic security for your Linux box at home (although most of the stuff I’ll be posting on security is equally if not even more appropriate for corporate servers). We Linux users think we are pretty safe from all sorts of mallware and virusses. And it’s true most of the crap out there is focussed on Windows boxes (and more and more on the Mac), but that doesn’t mean any Linux user should sit back and watch the carnage amongst the other operating systems. There is stuff out there you don’t want on your system, and if you don’t keep an eye out for it, it might end up on your box without you knowing about it, and someone could be using your gear for evil deeds.
One thing that you might want to check for is rootkits, software designed to gain root access and create backdoors to your Linux machine. One of the more populair applications that looks for the telltale signs of well-known rootkits is rkhunter. Once installed, you might need to take a moment to set it up. Some distro’s (like Ubuntu) place a script in /etc/cron.daily so rkhunter is run every single day. If your distro doesn’t do that, you might consider using the following script (/etc/cron.daily/rkhunter):
#!/bin/sh
RKHUNTER=/usr/bin/rkhunter
test -x $RKHUNTER || exit 0
# Update RKHUNTER
$RKHUNTER –update > /dev/null 2>&1# Check the system
OUTFILE=$(mktemp) || exit 1
$RKHUNTER –cronjob –report-warnings-only –appendlog > $OUTFILE
if [ -s "$OUTFILE" ]; then
(
echo “Subject: [rkhunter] $(hostname -f) – Daily report”
echo “To: $REPORT_EMAIL”
echo “”
cat $OUTFILE
) | /usr/sbin/sendmail $REPORT_EMAIL root@localhost
fi
rm -f $OUTFILE
And don’t forget to use chmod 700 /etc/cron.daily/rkhunter to make it executable! Of course, you can use any email adress you like in stead of root@localhost, as long as your system is configured to be able to email to the outside world in any way, shape or form.
