How to install Rkhunter on CentOS, RHEL server
How to download and install Rkhunter (Rootkit hunter) on cPanel, CentOS 7, RHEL 7 servers
Install rkhunter on CentOS 7 / RHEL 7 server
1. Log into linux server via SSH as ‘root’ user
2. Install epel-release (Extra Packages for Enterprise Linux) package on your server using yum command
Command: # yum install epel-release
You will see the error “No package rkhunter available” if EPEL in not installed on your server.
3. After install epel-release, run the below command to install ‘rkhunter’
Command : # yum install rkhunter
Resolving Dependencies
–> Running transaction check
—> Package rkhunter.noarch 0:1.4.6-1.el7 will be installed
–> Processing Dependency: /usr/bin/perl for package: rkhunter-1.4.6-1.el7.noarch
–> Processing Dependency: crontabs for package: rkhunter-1.4.6-1.el7.noarch
–> Processing Dependency: e2fsprogs for package: rkhunter-1.4.6-1.el7.noarch
–> Processing Dependency: iproute for package: rkhunter-1.4.6-1.el7.noarch
–> Processing Dependency: logrotate for package: rkhunter-1.4.6-1.el7.noarch
–> Processing Dependency: lsof for package: rkhunter-1.4.6-1.el7.noarch
–> Processing Dependency: mailx for package: rkhunter-1.4.6-1.el7.noarch
–> Processing Dependency: perl for package: rkhunter-1.4.6-1.el7.noarch
–> Processing Dependency: perl(IO::Socket) for package: rkhunter-1.4.6-1.el7.noarch
–> Processing Dependency: perl(strict) for package: rkhunter-1.4.6-1.el7.noarch
–> Processing Dependency: wget for package: rkhunter-1.4.6-1.el7.noarch
Dependencies Resolved
=====================================================================================
Package Arch Version Repository
Size
=====================================================================================
Installing:
rkhunter noarch 1.4.6-1.el7 epel 207 k
Installing for dependencies:
cronie x86_64 1.4.11-23.el7 base 92 k
cronie-anacron x86_64 1.4.11-23.el7 base 36 k
crontabs noarch 1.11-6.20121102git.el7 base 13 k
e2fsprogs x86_64 1.42.9-17.el7 base 699 k
e2fsprogs-libs x86_64 1.42.9-17.el7 base 168 k
groff-base x86_64 1.22.2-8.el7 base 942 k
iproute x86_64 4.11.0-25.el7_7.2 base 803 k
iptables x86_64 1.4.21-34.el7 base 432 k
libmnl x86_64 1.0.3-7.el7 base 23 k
libnetfilter_conntrack x86_64 1.0.6-1.el7_3 base 55 k
libnfnetlink x86_64 1.0.1-4.el7 base 26 k
libss x86_64 1.42.9-17.el7 base 46 k
logrotate x86_64 3.8.6-19.el7 base 70 k
lsof x86_64 4.87-6.el7 base 331 k
mailx x86_64 12.5-19.el7 base 245 k
perl x86_64 4:5.16.3-295.el7 base 8.0 M
perl-Carp noarch 1.26-244.el7 base 19 k
perl-Encode x86_64 2.51-7.el7 base 1.5 M
perl-Exporter noarch 5.68-3.el7 base 28 k
perl-File-Path noarch 2.09-2.el7 base 26 k
perl-File-Temp noarch 0.23.01-3.el7 base 56 k
perl-Filter x86_64 1.49-3.el7 base 76 k
perl-Getopt-Long noarch 2.40-3.el7 base 56 k
perl-HTTP-Tiny noarch 0.033-3.el7 base 38 k
perl-PathTools x86_64 3.40-5.el7 base 82 k
perl-Pod-Escapes noarch 1:1.04-295.el7 base 51 k
perl-Pod-Perldoc noarch 3.20-4.el7 base 87 k
perl-Pod-Simple noarch 1:3.28-4.el7 base 216 k
perl-Pod-Usage noarch 1.63-3.el7 base 27 k
perl-Scalar-List-Utils x86_64 1.27-248.el7 base 36 k
perl-Socket x86_64 2.010-5.el7 base 49 k
perl-Storable x86_64 2.45-3.el7 base 77 k
perl-Text-ParseWords noarch 3.29-4.el7 base 14 k
perl-Time-HiRes x86_64 4:1.9725-3.el7 base 45 k
perl-Time-Local noarch 1.2300-2.el7 base 24 k
perl-constant noarch 1.27-2.el7 base 19 k
perl-libs x86_64 4:5.16.3-295.el7 base 689 k
perl-macros x86_64 4:5.16.3-295.el7 base 44 k
perl-parent noarch 1:0.225-244.el7 base 12 k
perl-podlators noarch 2.5.1-3.el7 base 112 k
perl-threads x86_64 1.87-4.el7 base 49 k
perl-threads-shared x86_64 1.43-6.el7 base 39 k
wget x86_64 1.14-18.el7_6.1 base 547 k
Transaction Summary
=====================================================================================
Install 1 Package (+43 Dependent packages)
Total download size: 16 M
Installed size: 50 M
Is this ok [y/d/N]: y
4. Enter y and press enter, if yum ask for confirmation
Rkhunter need the below dependencies:
—————
procps-ng-0:3.3.10-27.el7.x86_64
bash-0:4.2.46-34.el7.x86_64
binutils-0:2.27-43.base.el7_8.1.x86_64
mailx-0:12.5-19.el7.x86_64
crontabs-0:1.11-6.20121102git.el7.noarch
findutils-1:4.5.11-6.el7.x86_64
coreutils-0:8.22-24.el7.x86_64
perl-4:5.16.3-295.el7.x86_64
e2fsprogs-0:1.42.9-17.el7.x86_64
lsof-0:4.87-6.el7.x86_64
wget-0:1.14-18.el7_6.1.x86_64
iproute-0:4.11.0-25.el7_7.2.x86_64
procps-ng-0:3.3.10-27.el7.i686
grep-0:2.20-3.el7.x86_64
kmod-0:20-28.el7.x86_64
logrotate-0:3.8.6-19.el7.x86_64
—————
Steps to download and install rkhunter rpm on CentOS / RHEL
1. Log into Linux server as root user
2. You can download rkhunter rpm using wget command
3. Install the downloaded rpm file using yum command or rpm command
On CentOS 6 x86_64 server :
# wget https://download-ib01.fedoraproject.org/pub/epel/6/x86_64/Packages/r/rkhunter-1.4.6-1.el6.noarch.rpm
# yum install rkhunter-1.4.6-1.el6.noarch.rpm
OR
# rpm -ivh rkhunter-1.4.6-1.el6.noarch.rpm
yum command will download and install the required dependencies. You must manually install the dependencies if you are installing using rpm command.
On CentOS 7 x86_64 server :
# wget https://download-ib01.fedoraproject.org/pub/epel/7/x86_64/Packages/r/rkhunter-1.4.6-1.el7.noarch.rpm
# yum install rkhunter-1.4.6-1.el7.noarch.rpm
OR
# rpm -ivh rkhunter-1.4.6-1.el7.noarch.rpm
How to remove/uninstall Rkhunter
1. Log into your CentOS / RHEL server as ‘root’ user
2. Run the command “yum remove rkhunter” to remove/uninstall rkhunter
Uninstall rkhunter
Steps to Install rkhunter from source
1. Log into linux server via SSH as ‘root’
2. Before downloading rkhunter you must check the latest version of rkhunter available in sourceforge website
Open the below URL and download the latest version
https://sourceforge.net/projects/rkhunter/files/rkhunter/
3. Use wget command to download rkhunter
Command : wget https://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz
You can download the README file to check what all features are included in the latest version on rhkunter.
4. Extract the rkhunter tar file you have downloaded
Command to extract : tar -zxvf rkhunter-1.4.2.tar.gz
5. Change to directory you have extracted using cd command
cd rkhunter-1.4.2/
6. Run the below command to install rkhunter
Command : ./installer.sh --layout default --install
Install Rkhunter from source
Installation step is pasted below :
[root@server rkhunter-1.4.2]# tar -zxvf rkhunter-1.4.2.tar.gz
rkhunter-1.4.2/files/filehashsha.pl
rkhunter-1.4.2/files/programs_bad.dat
rkhunter-1.4.2/files/i18n/
rkhunter-1.4.2/files/i18n/zh
rkhunter-1.4.2/files/i18n/tr
rkhunter-1.4.2/files/i18n/de
rkhunter-1.4.2/files/i18n/cn
rkhunter-1.4.2/files/i18n/zh.utf8
rkhunter-1.4.2/files/i18n/en
rkhunter-1.4.2/files/i18n/tr.utf8
rkhunter-1.4.2/files/rkhunter.conf
rkhunter-1.4.2/files/signatures/
rkhunter-1.4.2/files/signatures/RKH_dso.ldb
rkhunter-1.4.2/files/signatures/RKH_Glubteba.ldb
rkhunter-1.4.2/files/signatures/RKH_sniffer.ldb
rkhunter-1.4.2/files/signatures/RKH_shv.ldb
rkhunter-1.4.2/files/signatures/RKH_libkeyutils1.ldb
rkhunter-1.4.2/files/signatures/RKH_libkeyutils.ldb
rkhunter-1.4.2/files/signatures/RKH_sshd.ldb
rkhunter-1.4.2/files/signatures/RKH_xsyslog.ldb
rkhunter-1.4.2/files/signatures/RKH_turtle.ldb
rkhunter-1.4.2/files/signatures/RKH_kbeast.ldb
rkhunter-1.4.2/files/signatures/RKH_libncom.ldb
rkhunter-1.4.2/files/signatures/RKH_pamunixtrojan.ldb
rkhunter-1.4.2/files/signatures/RKH_jynx.ldb
rkhunter-1.4.2/files/backdoorports.dat
rkhunter-1.4.2/files/FAQ
rkhunter-1.4.2/files/mirrors.dat
rkhunter-1.4.2/files/rkhunter.spec
rkhunter-1.4.2/files/contrib/
rkhunter-1.4.2/files/contrib/rkhunter_remote_howto.txt
rkhunter-1.4.2/files/contrib/run_rkhunter.sh
rkhunter-1.4.2/files/contrib/README.txt
rkhunter-1.4.2/files/rkhunter
rkhunter-1.4.2/files/CHANGELOG
rkhunter-1.4.2/files/stat.pl
rkhunter-1.4.2/files/check_modules.pl
rkhunter-1.4.2/files/readlink.sh
rkhunter-1.4.2/installer.sh
[root@server ~]# cd rkhunter-1.4.2/
[root@server rkhunter-1.4.2]# sh installer.sh
Run rkhunter Install script
1. Type the below command to check the version of rkhunter installed
rkhunter -V
Rootkit Hunter 1.4.2
2. Run any of the below command to initiate a rkhuner scan on your linux server
rkhunter --check
OR
rkhunter -c
3. Run the below command to Check for updates to database files
rkhunter --update
[ Rootkit Hunter version 1.4.2 ]
Checking rkhunter data files…
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ Updated ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ Updated ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ Updated ]
Checking file i18n/en [ No update ]
Checking file i18n/tr [ Updated ]
Checking file i18n/tr.utf8 [ Updated ]
Checking file i18n/zh [ Updated ]
Checking file i18n/zh.utf8 [ Updated ]
4. steps to set a weekly rkhunter scan on your linux server and email the result to your email address
vi /etc/cron.weekly/rkhunter-scan.sh
Enter the below script in rkhunter-scan.sh file
#!/bin/bash
(rkhunter --update && rkhunter -c --cronjob 2>&1 | mail -s “Rkhunter Scan Result” user@domain.com)
5. Run the below command to see all options
rkhunter --help
Or
rkhunter -h
6. To Unlock/Remove the Rkhunter lock file
Command : rkhunter --unlock
7. How to check for latest version of program
The below command will shows whether you have installed the latest version.
Command : rkhunter --versioncheck
[ Rootkit Hunter version 1.4.2 ]
Checking rkhunter version…
This version : 1.4.2
Latest version: 1.4.2
8. How to run Rkhunter in quiet mode
Command : rkhunter --quiet -c
9. Rkhunter log file location
By default rkhuner logs are saved in /var/log/ directory, log file is /var/log/rkhunter.log.
Use “–nolog” option if you do not want to save the logs to a file.
Command : rkhunter --nolog -c