Comprehensive Guide to RKHunter: Installation, Features, and Usage for Linux Intrusion Detection

RKHunter is an open-source intrusion detection tool for Linux system platforms.

Features

  • (1) Easy installation, fast operation
  • (2) Comprehensive scanning range, capable of detecting various known rootkit signatures, port scans, and checking for changes in common program files

Main Functions

  • (1) MD5 checksum test to detect any file modifications
  • (2) Detects binaries and system tool files used by rootkits
  • (3) Detects trojan program signatures
  • (4) Detects file attribute anomalies in most common programs
  • (5) Scans any promiscuous mode interfaces and ports commonly used by backdoor programs
  • (6) Detects all configuration files, log files, and any abnormal hidden files in directories like /etc/rc.d/

Usage

Execute the rkhunter check command

# rkhunter -c

rkhunter will perform a series of checks, and any problematic areas will be marked with a red Warning alert, which requires you to address these issues.

rkhunter relies on its own database for checks, so keeping the database up-to-date is crucial. Update the database with the command:

# rkhunter --update

It’s best to include it in the system’s scheduled tasks.

Installation

Official website: http://rkhunter.sourceforge.net/

After downloading, extract it. I downloaded version 1.4.2

tar zxf rkhunter-1.4.2.tar.gz

Enter the extracted directory to execute the installation script, it’s very fast

cd rkhunter-1.4.2
./installer.sh --install