When it comes to keeping your Linux server safe, rootkits are a major concern.

They are sneaky malware that can infect your Linux server without being noticed, making them a nightmare for server administrators.

In this tutorial, I'll walk you through the steps to scan for rootkits on your Linux server.

Preparation

To make the most of this guide, ensure you have a properly set up Ubuntu server.

👉
Check out my guide on preparing Ubuntu servers to ensure your server is properly set up.

If you don’t have one, consider getting a free VPS server to follow along.

What are Rootkits?

Rootkits are nasty pieces of malware that can deeply hide in your server, making it sometimes impossible to detect them.

Once a rootkit is on your server, it can do bad things like taking control, stealing important information, and letting hackers in.

Rootkits could replace commands like ls or ps with their own infected versions that work normally without you noticing.

They can infect any operating system, including Linux.

Key Considerations

Rootkits can only be planted after gaining administrative access to the server.

That's why it's crucial to prevent bad actors from gaining access to your server in the first place and planting malware.

Following essential security measures such as adding a non-root user and disabling root user access, implementing a firewallsecuring SSH, and more could prevent rootkits from being installed on your server without the need for detection software.

Now, the last crucial point is that there is no software that is truly effective at detecting all rootkits. Rootkit Hunter is a good option but cannot detect every type of them.

Installing Rootkit Hunter

To install Rootkit Hunter, use the following command:

sudo apt install rkhunter

Once it is installed, the first thing to do is to run this command:

sudo rkhunter --propupd

This command is used to update the local database file with the current properties of system files.

Then we need to update the rootkit signatures but before doing this we need to adjust three things in its main configuration file.

Open the /etc/rkhunter.conf file and locate these three variables:

UPDATE_MIRRORS
MIRRORS_MODE
WEB_CMD

Change their values to look like this:

UPDATE_MIRRORS=1
MIRRORS_MODE=0
WEB_CMD=""

Now, use the following command to update the rootkit signatures:

sudo rkhunter --update

And that's it for installing Rootkit Hunter.

Running a Scan

After successfully installing and updating Rootkit Hunter, it is time for a scan.

Use the following command to scan for rootkits:

sudo rkhunter -c

The scan will take some time and will consume server resources, so ensure you have sufficient resources available.

When running a scan using only the -c option, Rootkit Hunter will continue to prompt you to press the ENTER key to proceed with scanning.

Use the following command instead:

sudo rkhunter -c --cronjob --rwo

The --cronjob option will make the program run as a cron job, causing it to run the entire scan without asking you to press the ENTER key.

The --rwo option will instruct the program to only log warnings instead of logging everything.

You can also use the --sk option to prevent the program from prompting you to press the ENTER key.

Conclusion and Final Thoughts

Great job reaching the end!

I hope this tutorial has been helpful for you in protecting your Linux server from rootkits.

🙆‍♂️
There's more to securing Linux servers. I’ve created a comprehensive guide on server security and hardening, where I share the exact security measures I implement on my own servers.

If you found value in this tutorial or have any questions or feedback, please don't hesitate to share your thoughts in the discussion section.

Your input is greatly appreciated, and you can also contact me directly if you prefer.