Rkhunter for EC2-Abuse

Installing Rkhunter 1.4.0

wget "http://sourceforge.net/projects/rkhunter/files/latest/download?source=files"
mv download** rk.tar.gz
tar xvzf rk.tar.gz

Inside, we should see a “files” directory, and an installer script. We will use this to install our program. Specify the layout to install it in the /usr directory so that it will be in our default path:

sudo ./installer.sh --layout /usr --install

This will install the software and the configuration files.

Now, we have rkhunter installed, but we still need some utilities to use all of its functionality. We can get these from the Ubuntu repositories:

yum install binutils libreadline5 libruby1.8 ruby ruby1.8 ssl-cert unhide.rb mailutils

we need to perform a similar option to update our data files. These files contain information that rkhunter checks against to determine if a file or behavior is suspicious or not. Keeping these files current is essential for accurately assessing your system:

sudo rkhunter --update

With our database files refreshed, we can set our baseline file properties so that rkhunter can alert us if any of the essential configuration files it tracks are altered. We need to tell rkhunter to check the current values and store them as known-good values:

sudo rkhunter --propupd

Finally, we are ready to perform our initial run. This will produce some warnings. This is expected behavior, because rkhunter is configured to be generic and Ubuntu diverges from the expected defaults in some places. We will tell rkhunter about these afterwards:

sudo rkhunter -c --enable all --disable none

SOURCE : https://www.digitalocean.com/community/articles/how-to-use-rkhunter-to-guard-against-rootkits-on-an-ubuntu-vps


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s