如果你是youcl.com的常客,你会注意到这是我们关于安全工具的第三篇文章。 在我们之前的两篇文章中,我们已经给你如何从恶意软件 ,DoS和DDoS攻击使用安全的Apache和Linux系统的所有指导的mod_security和mod_evasive和LMD(Linux的恶意软件检测) 。
我们再次在这里引入所谓的Rkhunter(Rootkit的猎人 )的新安全工具。 本文将指导你的方式来安装和使用源代码的Linux系统配置RKH(Rootkit的猎人 )。
Rootkit Hunter - 扫描Linux系统的Rootkit,后门和本地漏洞
什么是Rkhunter?
Rkhunter(Rootkit的亨特 )是一个开源的Linux系统的Unix / Linux的扫描工具,根据GPL,它可以扫描你的系统后门,后门和本地攻击释放。
它可以扫描隐藏文件,二进制文件上设置错误的权限,内核等可疑字符串要了解更多关于Rkhunter及其功能参观http://www.rootkit.nl/ 。
在Linux系统中安装Rootkit Hunter Scanner
第1步:下载Rkhunter
首先要下载Rkhunter工具的最新的稳定版本http://www.rootkit.nl/projects/rootkit_hunter.html或者使用下面的命令Wget的下载它在你的系统中。
# cd /tmp # wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz
第2步:安装Rkhunter
一旦你已经下载了最新版本,以root用户来安装它运行以下命令。
# tar -xvf rkhunter-1.4.2.tar.gz # cd rkhunter-1.4.2 # ./installer.sh --layout default --install
示例输出
Checking system for: Rootkit Hunter installer files: found A web file download command: wget found Starting installation: Checking installation directory "/usr/local": it exists and is writable. Checking installation directories: Directory /usr/local/share/doc/rkhunter-1.4.2: creating: OK Directory /usr/local/share/man/man8: exists and is writable. Directory /etc: exists and is writable. Directory /usr/local/bin: exists and is writable. Directory /usr/local/lib64: exists and is writable. Directory /var/lib: exists and is writable. Directory /usr/local/lib64/rkhunter/scripts: creating: OK Directory /var/lib/rkhunter/db: creating: OK Directory /var/lib/rkhunter/tmp: creating: OK Directory /var/lib/rkhunter/db/i18n: creating: OK Directory /var/lib/rkhunter/db/signatures: creating: OK Installing check_modules.pl: OK Installing filehashsha.pl: OK Installing stat.pl: OK Installing readlink.sh: OK Installing backdoorports.dat: OK Installing mirrors.dat: OK Installing programs_bad.dat: OK Installing suspscan.dat: OK Installing rkhunter.8: OK Installing ACKNOWLEDGMENTS: OK Installing CHANGELOG: OK Installing FAQ: OK Installing LICENSE: OK Installing README: OK Installing language support files: OK Installing ClamAV signatures: OK Installing rkhunter: OK Installing rkhunter.conf: OK Installation complete
第3步:更新Rkhunter
运行RKH更新通过运行以下命令来填充数据库属性。
# /usr/local/bin/rkhunter --update # /usr/local/bin/rkhunter --propupd
示例输出
[ Rootkit Hunter version 1.4.2 ] Checking rkhunter data files... Checking file mirrors.dat [ No update ] Checking file programs_bad.dat [ Updated ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ No update ] Checking file i18n/de [ No update ] Checking file i18n/en [ No update ] Checking file i18n/tr [ No update ] Checking file i18n/tr.utf8 [ No update ] Checking file i18n/zh [ No update ] Checking file i18n/zh.utf8 [ No update ] [ Rootkit Hunter version 1.4.2 ] File created: searched for 174 files, found 137
第4步:设置Cronjob和电子邮件警报
创建名为下/etc/cron.daily/ rkhunter.sh文件,然后每天会扫描你的文件系统,并发送电子邮件通知到您的电子邮件ID。 在您喜欢的编辑器的帮助下创建以下文件。
# vi /etc/cron.daily/rkhunter.sh
添加以下代码行,并与你的“ 电子邮件ID”替换“YourServerNameHere”与“ 服务器名称 ”和“your@email.com”。
#!/bin/sh ( /usr/local/bin/rkhunter --versioncheck /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --cronjob --report-warnings-only ) | /bin/mail -s 'rkhunter Daily Run (PutYourServerNameHere)' your@email.com
对文件设置执行权限。
# chmod 755 /etc/cron.daily/rkhunter.sh
第5步:手动扫描和使用
要扫描整个文件系统,运行Rkhunter作为根用户。
# rkhunter --check
示例输出
[ Rootkit Hunter version 1.4.2 ] Checking system commands... Performing 'strings' command checks Checking 'strings' command [ OK ] Performing 'shared libraries' checks Checking for preloading variables [ None found ] Checking for preloaded libraries [ None found ] Checking LD_LIBRARY_PATH variable [ Not found ] Performing file properties checks Checking for prerequisites [ OK ] /usr/local/bin/rkhunter [ OK ] /usr/sbin/adduser [ OK ] /usr/sbin/chkconfig [ OK ] /usr/sbin/chroot [ OK ] /usr/sbin/depmod [ OK ] /usr/sbin/fsck [ OK ] /usr/sbin/fuser [ OK ] /usr/sbin/groupadd [ OK ] /usr/sbin/groupdel [ OK ] /usr/sbin/groupmod [ OK ] /usr/sbin/grpck [ OK ] /usr/sbin/ifconfig [ OK ] /usr/sbin/ifdown [ Warning ] /usr/sbin/ifup [ Warning ] /usr/sbin/init [ OK ] /usr/sbin/insmod [ OK ] /usr/sbin/ip [ OK ] /usr/sbin/lsmod [ OK ] /usr/sbin/lsof [ OK ] /usr/sbin/modinfo [ OK ] /usr/sbin/modprobe [ OK ] /usr/sbin/nologin [ OK ] /usr/sbin/pwck [ OK ] /usr/sbin/rmmod [ OK ] /usr/sbin/route [ OK ] /usr/sbin/rsyslogd [ OK ] /usr/sbin/runlevel [ OK ] /usr/sbin/sestatus [ OK ] /usr/sbin/sshd [ OK ] /usr/sbin/sulogin [ OK ] /usr/sbin/sysctl [ OK ] /usr/sbin/tcpd [ OK ] /usr/sbin/useradd [ OK ] /usr/sbin/userdel [ OK ] /usr/sbin/usermod [ OK ] .... [Press to continue] Checking for rootkits... Performing check of known rootkit files and directories 55808 Trojan - Variant A [ Not found ] ADM Worm [ Not found ] AjaKit Rootkit [ Not found ] Adore Rootkit [ Not found ] aPa Kit [ Not found ] ..... [Press to continue] Performing additional rootkit checks Suckit Rookit additional checks [ OK ] Checking for possible rootkit files and directories [ None found ] Checking for possible rootkit strings [ None found ] .... [Press to continue] Checking the network... Performing checks on the network ports Checking for backdoor ports [ None found ] .... Performing system configuration file checks Checking for an SSH configuration file [ Found ] Checking if SSH root access is allowed [ Warning ] Checking if SSH protocol v1 is allowed [ Warning ] Checking for a running system logging daemon [ Found ] Checking for a system logging configuration file [ Found ] Checking if syslog remote logging is allowed [ Not allowed ] ... System checks summary ===================== File properties checks... Files checked: 137 Suspect files: 6 Rootkit checks... Rootkits checked : 383 Possible rootkits: 0 Applications checks... Applications checked: 5 Suspect applications: 2 The system checks took: 5 minutes and 38 seconds All results have been written to the log file: /var/log/rkhunter.log One or more warnings have been found while checking the system. Please check the log file (/var/log/rkhunter.log)
上述命令下与Rkhunter做出的检查结果/var/log/rkhunter.log生成日志文件。
# cat /var/log/rkhunter.log
示例输出
03:33:40] Running Rootkit Hunter version 1.4.2 on server [03:33:40] [03:33:40] Info: Start date is Tue May 31 03:33:40 EDT 2016 [03:33:40] [03:33:40] Checking configuration file and command-line options... [03:33:40] Info: Detected operating system is 'Linux' [03:33:40] Info: Found O/S name: CentOS Linux release 7.2.1511 (Core) [03:33:40] Info: Command line is /usr/local/bin/rkhunter --check [03:33:40] Info: Environment shell is /bin/bash; rkhunter is using bash [03:33:40] Info: Using configuration file '/etc/rkhunter.conf' [03:33:40] Info: Installation directory is '/usr/local' [03:33:40] Info: Using language 'en' [03:33:40] Info: Using '/var/lib/rkhunter/db' as the database directory [03:33:40] Info: Using '/usr/local/lib64/rkhunter/scripts' as the support script directory [03:33:40] Info: Using '/usr/lib64/qt-3.3/bin /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /bin /sbin /usr/libexec /usr/local/libexec' as the command directories [03:33:40] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory [03:33:40] Info: No mail-on-warning address configured [03:33:40] Info: X will be automatically detected [03:33:40] Info: Found the 'basename' command: /usr/bin/basename [03:33:40] Info: Found the 'diff' command: /usr/bin/diff [03:33:40] Info: Found the 'dirname' command: /usr/bin/dirname [03:33:40] Info: Found the 'file' command: /usr/bin/file [03:33:40] Info: Found the 'find' command: /usr/bin/find [03:33:40] Info: Found the 'ifconfig' command: /usr/sbin/ifconfig [03:33:40] Info: Found the 'ip' command: /usr/sbin/ip ...
有关更多信息和选项,请运行以下命令。
# rkhunter --help
如果你喜欢这篇文章,那么分享是正确的方式说感谢。
