Install and configure Chkrootkit and Rkhunter

Install Chkrootkit

cd /usr/local/src
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xvzf chkrootkit.tar.gz
cd chkrootkit*
make sense
./chkrootkit

Create cron entries

touch /etc/cron.daily/chkrootkit.sh
chmod 700 /etc/cron.daily/chkrootkit.sh

Add the below to /etc/cron.daily/chkrootkit.sh

#!/bin/sh
(
/usr/local/src/chkrootkit-0.49/chkrootkit
) | /bin/mail -s "CHROOTKIT Daily Run (server_name)" email_address

Installing Rkhunter

cd /usr/local/src

Download :

wget http://ncu.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz

Install :

tar -xvf rkhunter-1.4.0.tar.gz
cd rkhunter-1.4.0
./installer.sh --layout default --install

Updating :

/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --propupd

Create a script to send the scan result :

touch /etc/cron.daily/rkhunter.sh

chmod 500 /etc/cron.daily/rkhunter.sh

Add the below contents:

#!/bin/sh
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Run (server_name)' email_address

To scan :

rkhunter --check

Enjoy 🙂



ps :
I wanted to change the from address for a user, 
Created a file
/scripts/result_rkhunter and changed the script as below :
#!/bin/sh
cat /dev/null > /scripts/result_rkhunter
Machine_name=$(hostname)
SUBJECT="rkhunter_result : $Machine_name"
EMAILMESSAGE="/scripts/result_rkhunter"
/usr/bin/rkhunter --versioncheck --nocolors >> /scripts/result_rkhunter
/usr/bin/rkhunter --update --nocolors >> /scripts/result_rkhunter
/usr/bin/rkhunter --cronjob --report-warnings-only --nocolors >> /scripts/result_rkhunter
Result_From_RKH=$(cat "$EMAILMESSAGE")
/usr/sbin/sendmail to_email_address  <<EOF
subject:$SUBJECT
from:from_email_address
"$Result_From_RKH"
EOF

Advertisements

2 thoughts on “Install and configure Chkrootkit and Rkhunter

  1. server_name, you can mention whatever you need and it will be the subject of the daily scan update that send to the email address following. So if you mention server name as Nickserver and email address as nickgg@nickgg.com, you will get daily scan update to the email address nickgg@nickgg.com with the email subject :
    “CHROOTKIT Daily Run Nickserver”
    🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s