rkhunter là gì? Rootkit Hunter Chi Tiết
rkhunter (Rootkit Hunter) là open-source tool để scan Linux systems cho rootkits, backdoors, và local exploits. Nó hoạt động bằng cách kiểm tra các suspicious behaviors, hidden files, và known patterns của common rootkits.
rkhunter không phải là antivirus – nó tập trung vào detecting rootkits và system compromises mà traditional antivirus có thể miss. Đây là essential tool cho anyone responsible cho Linux server security.
Rootkit là gì?
Rootkit là malicious software được thiết kế để provide continued privileged access mà không bị detect. Rootkits thường replace system binaries hoặc modify kernel để hide their presence và activities.
Types of Rootkits
- User-mode rootkits: Replace user-level binaries (ls, ps, netstat)
- Kernel-mode rootkits: Modify kernel or load as kernel modules
- Bootkit: Infect MBR/VBR và boot process
- Firmware rootkits: Hide in hardware firmware
- Memory rootkits: Reside only in RAM (volatile)
Cài Đặt rkhunter
Trên Ubuntu/Debian
# Cài đặt sudo apt update sudo apt install rkhunter # Cấu hình sudo nano /etc/rkhunter.conf # Update file properties database (sau khi cài đặt) sudo rkhunter --propupd
Trên CentOS/RHEL
# Cài đặt từ EPEL sudo yum install epel-release sudo yum install rkhunter # Update properties sudo rkhunter --propupd
Trên macOS
# Via Homebrew brew install rkhunter
rkhunter Configuration
# /etc/rkhunter.conf # Email alerts MAIL-ON-WARNING=admin@example.com MAIL_CMD=/usr/bin/mail -s "[rkhunter] Warnings found" # Auto update checks (daily hoặc weekly) UPDATE_DIR=/var/lib/rkhunter/db CRON_DAILY_RUN="yes" CRON_WEEKLY_RUN="yes" # Quiet mode - only warn QUIET_SILENT=0 WHITELISTED_PKG="/usr/sbin/sshd" # Enable specific tests ENABLE_TESTS="all" DISABLE_TESTS="none" # Port range to check PORT_WHITELIST="22:22 80:80 443:443" # Known suspicious files (whitelist) ALLOW_SUSPICIOUSIOUS_FILES=0 # Check for Java exploits JAVA_VERSION_CMD=java -version 2>&1 | grep version
Sử Dụng rkhunter
Basic Scan
# Chạy scan đầy đủ sudo rkhunter --check # Scan không cần Enter confirmations (batch mode) sudo rkhunter --check --skip-keypress # Hiển thị tất cả test results sudo rkhunter --check --verbose # Scan với log sudo rkhunter --check --logfile /var/log/rkhunter.log
Scan Options
# Check specific categories only sudo rkhunter --check --rwo # Disable certain tests sudo rkhunter --check --disable "passwd_changes,group_changes" # Enable specific tests sudo rkhunter --check --enable "loaded_modules,hidden_procs" # Check all files (not just system directories) sudo rkhunter --check --all # Report only warnings sudo rkhunter --check --report-warnings
Update và Upgrade
# Cập nhật rootkit definitions sudo rkhunter --update # Check version sudo rkhunter --version # Upgrade (re-run installer để update) sudo apt update && sudo apt install rkhunter
rkhunter Test Categories
| Category | Description |
|---|---|
| System commands | Check binaries for modifications (MD5, permissions) |
| Hidden files | Scan for files hidden with leading dots |
| Loaded modules | Check for suspicious kernel modules |
| Network interfaces | Detectpromiscuous mode và suspicious interfaces |
| Running processes | Check for suspicious processes |
| Boot and startup files | Check /etc/init.d, startup scripts |
| File properties | Check for altered system files |
| User group settings | Check for suspicious users/groups |
| Systemstartup files | Check rc.d, init.d directories |
| Network configuration | Check routing table, DNS configs |
rkhunter Output Explained
Warning Types
# Example warning output [19:23:45] Checking for suspicious files [ Warning ] [19:23:45] Found file: /tmp/.hidden_malware [19:24:12] Checking for hidden files [ Warning ] [19:24:12] Found: /etc/.malicious_config [19:25:00] Checking system commands [ OK ] # System binaries are unchanged [19:26:30] Checking for rootkits [ OK ] # No rootkits detected
Interpreting Results
| Result | Meaning |
|---|---|
| [ OK ] | No issues found |
| [ Warning ] | Possible issue – needs investigation |
| [ Not found ] | Test not performed or feature not installed |
| [ Disabled ] | Test disabled in config |
Scheduling rkhunter Scans
Cron Job Setup
# Edit crontab sudo crontab -e # Thêm cron job chạy daily lúc 3 AM 0 3 * * * /usr/bin/rkhunter --check --cronjob --report-warnings --quiet # Hoặc weekly 0 3 * * 0 /usr/bin/rkhunter --check --cronjob --report-warnings
Systemd Timer (Modern Systems)
# /etc/systemd/system/rkhunter-scan.timer [Unit] Description=rkhunter Weekly Scan [Timer] OnCalendar=weekly Persistent=true [Install] WantedBy=timers.target --- # /etc/systemd/system/rkhunter-scan.service [Unit] Description=rkhunter Scan Service [Service] Type=oneshot ExecStart=/usr/bin/rkhunter --check --cronjob --report-warnings [Install] WantedBy=multi-user.target # Enable timer sudo systemctl enable rkhunter-scan.timer sudo systemctl start rkhunter-scan.timer
rkhunter với Other Tools
Combined Security Scan Script
#!/bin/bash # security-scan.sh echo "=== Running rkhunter scan ===" sudo rkhunter --check --skip-keypress --report-warnings echo "" echo "=== Running chkrootkit scan ===" sudo chkrootkit echo "" echo "=== Checking for suspicious processes ===" ps aux | grep -E "(nc|netcat|/dev/tcp)" | grep -v grep echo "" echo "=== Checking network connections ===" netstat -tulnp | grep LISTEN | grep -v -E ":(22|80|443|3306|5432)"
rkhunter Whitelist Management
Whitelist Known Safe Files
# Add to /etc/rkhunter.conf # Whitelist specific files ALLOWKILLFILE=/etc/rkhunter/whitelist ALLOWPROCDIRFILE=/var/run/myapp.pid # Whitelist known system modifications ALLOW_SUSPICIOUSIOUS_FILES=0 # Whitelist network ports PORT_WHITELIST=22:22 80:80 443:443 3000:3000 # Whitelist users ALLOW_ROOT_USER=0 ALLOW_SSH_ROOT_USER=no # Whitelist commands (if modified intentionally) WHITELISTED_PKG="/usr/bin/ls" WHITELISTED_PKG="/usr/bin/ps"
Best Practices
- Run regularly: Schedule daily hoặc weekly scans
- Update definitions: Run
rkhunter --updatebefore each scan - Store logs: Keep scan results for comparison over time
- Review warnings: Investigate every warning – false positives cần whitelist
- Monitor cron output: Ensure email notifications work
- Test after system changes: Run scan after major updates
False Positives và Mitigation
Common False Positives
- Custom compiled binaries (LSB scripts)
- Modified SSH daemon (from hardening)
- Custom kernel modules (e.g., ZFS)
- Installed monitoring agents
Handling False Positives
# 1. Verify file is safe (VirusTotal check) # Upload suspicious file to virustotal.com # 2. Add to whitelist in rkhunter.conf ALLOWKILLFILE=/path/to/known-safe-file # 3. Update file properties database sudo rkhunter --propupd # 4. Report false positive to rkhunter developers
Kết Luận
rkhunter là essential tool để detect rootkits và system compromises trên Linux servers. Kết hợp với ClamAV và chkrootkit, nó cung cấp layered defense against sophisticated threats.
Key practices: Run regularly, update definitions, investigate warnings, maintain whitelist for known-safe modifications, và store logs for historical comparison.
