入侵检测工具rkhunter安装
rkhunter是Linux下的一款开源入侵检测工具。rkhunter具有比 chrootkit更为全面的扫描范围。除rootkit特征码扫描外,rkhunter还支持端口扫描,常用开源软件版本和文件变动情况检查等。
rkhunter的官方网站位于 http://www.rootkit.nl/,目前最新的版本是rkhunter-1.3.8。
centos5.8
Linux C1gstudio 2.6.18-308.el5 #1 SMP Tue Feb 21 20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
一.安装
安装到自定义目录/usr/local/rkhunter
- wget http://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.3.8/rkhunter-1.3.8.tar.gz
- tar zxvf rkhunter-1.3.8.tar.gz
- cd rkhunter-1.3.8
- mkdir -p /usr/local/rkhunter
- ./installer.sh --layout custom /usr/local/rkhunter --install
- Note: Directory /usr/local/rkhunter/bin is not in your PATH
- Checking system for:
- Rootkit Hunter installer files: found
- A web file download command: wget found
- Starting installation:
- Checking installation directory "/usr/local/rkhunter": it exists and is writable.
- Checking installation directories:
- Directory /usr/local/rkhunter/share/doc/rkhunter-1.3.8: creating: OK
- Directory /usr/local/rkhunter/share/man/man8: creating: OK
- Directory /usr/local/rkhunter/etc: creating: OK
- Directory /usr/local/rkhunter/bin: creating: OK
- Directory /usr/local/rkhunter/lib64: creating: OK
- Directory /usr/local/rkhunter/var/lib: creating: OK
- Directory /usr/local/rkhunter/lib64/rkhunter/scripts: creating: OK
- Directory /usr/local/rkhunter/var/lib/rkhunter/db: creating: OK
- Directory /usr/local/rkhunter/var/lib/rkhunter/tmp: creating: OK
- Directory /usr/local/rkhunter/var/lib/rkhunter/db/i18n: creating: OK
- Installing check_modules.pl: OK
- Installing filehashsha.pl: OK
- Installing stat.pl: OK
- Installing readlink.sh: OK
- Installing backdoorports.dat: OK
- Installing mirrors.dat: OK
- Installing programs_bad.dat: OK
- Installing suspscan.dat: OK
- Installing rkhunter.8: OK
- Installing ACKNOWLEDGMENTS: OK
- Installing CHANGELOG: OK
- Installing FAQ: OK
- Installing LICENSE: OK
- Installing README: OK
- Installing language support files: OK
- Installing rkhunter: OK
- Installing rkhunter.conf: OK
- Installation complete
/usr/local/rkhunter/bin/rkhunter –help
- Usage: rkhunter {--check | --unlock | --update | --versioncheck |
- --propupd [{filename | directory | package name},...] |
- --list [{tests | {lang | languages} | rootkits | perl}] |
- --config-check | --version | --help} [options]
- Current options are:
- --append-log Append to the logfile, do not overwrite
- --bindir <directory>... Use the specified command directories
- -c, --check Check the local system
- -C, --config-check Check the configuration file(s), then exit
- --cs2, --color-set2 Use the second color set for output
- --configfile <file> Use the specified configuration file
- --cronjob Run as a cron job
- (implies -c, --sk and --nocolors options)
- --dbdir <directory> Use the specified database directory
- --debug Debug mode
- (Do not use unless asked to do so)
- --disable <test>[,<test>...] Disable specific tests
- (Default is to disable no tests)
- --display-logfile Display the logfile at the end
- --enable <test>[,<test>...] Enable specific tests
- (Default is to enable all tests)
- --hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |
- NONE | <command>} Use the specified file hash function
- (Default is SHA1, then MD5)
- -h, --help Display this help menu, then exit
- --lang, --language <language> Specify the language to use
- (Default is English)
- --list [tests | languages | List the available test names, languages, checked
- rootkits | perl] for rootkits, or perl module status, then exit
- -l, --logfile [file] Write to a logfile
- (Default is /var/log/rkhunter.log)
- --noappend-log Do not append to the logfile, overwrite it
- --nocf Do not use the configuration file entries
- for disabled tests (only valid with --disable)
- --nocolors Use black and white output
- --nolog Do not write to a logfile
- --nomow, --no-mail-on-warning Do not send a message if warnings occur
- --ns, --nosummary Do not show the summary of check results
- --novl, --no-verbose-logging No verbose logging
- --pkgmgr {RPM | DPKG | BSD | Use the specified package manager to obtain or
- SOLARIS | NONE} verify file property values. (Default is NONE)
- --propupd [file | directory | Update the entire file properties database,
- package]... or just for the specified entries
- -q, --quiet Quiet mode (no output at all)
- --rwo, --report-warnings-only Show only warning messages
- -r, --rootdir <directory> Use the specified root directory
- --sk, --skip-keypress Don't wait for a keypress after each test
- --summary Show the summary of system check results
- (This is the default)
- --syslog [facility.priority] Log the check start and finish times to syslog
- (Default level is authpriv.notice)
- --tmpdir <directory> Use the specified temporary directory
- --unlock Unlock (remove) the lock file
- --update Check for updates to database files
- --vl, --verbose-logging Use verbose logging (on by default)
- -V, --version Display the version number, then exit
- --versioncheck Check for latest version of program
- -x, --autox Automatically detect if X is in use
- -X, --no-autox Do not automatically detect if X is in use
更新db
/usr/local/rkhunter/bin/rkhunter –update
- [ Rootkit Hunter version 1.3.8 ]
- Checking rkhunter data files...
- Checking file mirrors.dat [ No update ]
- Checking file programs_bad.dat [ Updated ]
- Checking file backdoorports.dat [ No update ]
- Checking file suspscan.dat [ No update ]
- Checking file i18n/cn [ No update ]
- Checking file i18n/de [ No update ]
- Checking file i18n/en [ No update ]
- Checking file i18n/zh [ No update ]
- Checking file i18n/zh.utf8 [ No update ]
ll /usr/local/rkhunter/var/lib/rkhunter/db/
- total 20
- -rw-r----- 1 root root 1055 Apr 9 13:43 backdoorports.dat
- drwxr-x--- 2 root root 4096 Apr 9 13:43 i18n
- -rw-r----- 1 root root 58 Apr 9 13:44 mirrors.dat
- -rw-r----- 1 root root 3203 Apr 9 13:44 programs_bad.dat
- -rw-r----- 1 root root 1904 Apr 9 13:43 suspscan.dat
在系统“干净”的时候产生对比文件
/usr/local/rkhunter/bin/rkhunter –propupd
[ Rootkit Hunter version 1.3.8 ]
File created: searched for 164 files, found 135
多了rkhunter.dat,rkhunter_prop_list.dat文件
ll /usr/local/rkhunter/var/lib/rkhunter/db/
- total 68
- -rw-r----- 1 root root 1055 Apr 9 13:43 backdoorports.dat
- drwxr-x--- 2 root root 4096 Apr 9 13:43 i18n
- -rw-r----- 1 root root 58 Apr 9 13:44 mirrors.dat
- -rw-r----- 1 root root 3203 Apr 9 13:44 programs_bad.dat
- -rw-r----- 1 root root 12958 Apr 9 13:47 rkhunter.dat
- -rw-r----- 1 root root 31798 Apr 9 13:47 rkhunter_prop_list.dat
- -rw-r----- 1 root root 1904 Apr 9 13:43 suspscan.dat
二.开始检查,有问题会红色的Warning 提示
/usr/local/rkhunter/bin/rkhunter -c –sk
- [ Rootkit Hunter version 1.3.8 ]
- Checking system commands...
- Performing 'strings' command checks
- Checking 'strings' command [ OK ]
- Performing 'shared libraries' checks
- Checking for preloading variables [ None found ]
- Checking for preloaded libraries [ None found ]
- Checking LD_LIBRARY_PATH variable [ OK ]
- Performing file properties checks
- Checking for prerequisites [ OK ]
- /sbin/chkconfig [ OK ]
- /sbin/depmod [ OK ]
- /sbin/fsck [ OK ]
- /sbin/fuser [ OK ]
- /sbin/ifconfig [ OK ]
- /sbin/ifdown [ Warning ]
- /sbin/ifup [ Warning ]
- /sbin/init [ OK ]
- /sbin/insmod [ OK ]
- /sbin/ip [ OK ]
- /sbin/kudzu [ OK ]
- /sbin/lsmod [ OK ]
- /sbin/modinfo [ OK ]
- /sbin/modprobe [ OK ]
- /sbin/nologin [ OK ]
- /sbin/rmmod [ OK ]
- /sbin/route [ OK ]
- /sbin/rsyslogd [ OK ]
- /sbin/runlevel [ OK ]
- /sbin/sulogin [ OK ]
- /sbin/sysctl [ OK ]
- /sbin/syslogd [ OK ]
- /bin/awk [ OK ]
- /bin/basename [ OK ]
- /bin/bash [ OK ]
- /bin/cat [ OK ]
- /bin/chmod [ OK ]
- /bin/chown [ OK ]
- /bin/cp [ OK ]
- /bin/csh [ OK ]
- /bin/cut [ OK ]
- /bin/date [ OK ]
- /bin/df [ OK ]
- /bin/dmesg [ OK ]
- /bin/echo [ OK ]
- /bin/ed [ OK ]
- /bin/egrep [ OK ]
- /bin/env [ OK ]
- /bin/fgrep [ OK ]
- /bin/grep [ OK ]
- /bin/kill [ OK ]
- /bin/logger [ OK ]
- /bin/login [ OK ]
- /bin/ls [ OK ]
- /bin/mail [ OK ]
- /bin/mktemp [ OK ]
- /bin/more [ OK ]
- /bin/mount [ OK ]
- /bin/mv [ OK ]
- /bin/netstat [ OK ]
- /bin/ps [ OK ]
- /bin/pwd [ OK ]
- /bin/rpm [ OK ]
- /bin/sed [ OK ]
- /bin/sh [ OK ]
- /bin/sort [ OK ]
- /bin/su [ OK ]
- /bin/touch [ OK ]
- /bin/uname [ OK ]
- /bin/gawk [ OK ]
- /bin/tcsh [ OK ]
- /usr/sbin/adduser [ OK ]
- /usr/sbin/chroot [ OK ]
- /usr/sbin/groupadd [ OK ]
- /usr/sbin/groupdel [ OK ]
- /usr/sbin/groupmod [ OK ]
- /usr/sbin/grpck [ OK ]
- /usr/sbin/kudzu [ OK ]
- /usr/sbin/lsof [ OK ]
- /usr/sbin/prelink [ OK ]
- /usr/sbin/pwck [ OK ]
- /usr/sbin/sestatus [ OK ]
- /usr/sbin/tcpd [ OK ]
- /usr/sbin/useradd [ OK ]
- /usr/sbin/userdel [ OK ]
- /usr/sbin/usermod [ OK ]
- /usr/sbin/vipw [ OK ]
- /usr/bin/awk [ OK ]
- /usr/bin/chattr [ OK ]
- /usr/bin/curl [ OK ]
- /usr/bin/cut [ OK ]
- /usr/bin/diff [ OK ]
- /usr/bin/dirname [ OK ]
- /usr/bin/du [ OK ]
- /usr/bin/env [ OK ]
- /usr/bin/file [ OK ]
- /usr/bin/find [ OK ]
- /usr/bin/groups [ Warning ]
- /usr/bin/head [ OK ]
- /usr/bin/id [ OK ]
- /usr/bin/kill [ OK ]
- /usr/bin/killall [ OK ]
- /usr/bin/last [ OK ]
- /usr/bin/lastlog [ OK ]
- /usr/bin/ldd [ Warning ]
- /usr/bin/less [ OK ]
- /usr/bin/locate [ OK ]
- /usr/bin/logger [ OK ]
- /usr/bin/lsattr [ OK ]
- /usr/bin/md5sum [ OK ]
- /usr/bin/newgrp [ OK ]
- /usr/bin/passwd [ OK ]
- /usr/bin/perl [ OK ]
- /usr/bin/pgrep [ OK ]
- /usr/bin/pstree [ OK ]
- /usr/bin/readlink [ OK ]
- /usr/bin/runcon [ OK ]
- /usr/bin/sha1sum [ OK ]
- /usr/bin/sha224sum [ OK ]
- /usr/bin/sha256sum [ OK ]
- /usr/bin/sha384sum [ OK ]
- /usr/bin/sha512sum [ OK ]
- /usr/bin/size [ OK ]
- /usr/bin/stat [ OK ]
- /usr/bin/strace [ OK ]
- /usr/bin/strings [ OK ]
- /usr/bin/sudo [ OK ]
- /usr/bin/tail [ OK ]
- /usr/bin/test [ OK ]
- /usr/bin/top [ OK ]
- /usr/bin/tr [ OK ]
- /usr/bin/uniq [ OK ]
- /usr/bin/users [ OK ]
- /usr/bin/vmstat [ OK ]
- /usr/bin/w [ OK ]
- /usr/bin/watch [ OK ]
- /usr/bin/wc [ OK ]
- /usr/bin/wget [ OK ]
- /usr/bin/whatis [ Warning ]
- /usr/bin/whereis [ OK ]
- /usr/bin/which [ OK ]
- /usr/bin/who [ OK ]
- /usr/bin/whoami [ OK ]
- /usr/bin/gawk [ OK ]
- /usr/local/rkhunter/etc/rkhunter.conf [ OK ]
- Checking for rootkits...
- Performing check of known rootkit files and directories
- 55808 Trojan - Variant A [ Not found ]
- ADM Worm [ Not found ]
- AjaKit Rootkit [ Not found ]
- Adore Rootkit [ Not found ]
- aPa Kit [ Not found ]
- Apache Worm [ Not found ]
- Ambient (ark) Rootkit [ Not found ]
- Balaur Rootkit [ Not found ]
- BeastKit Rootkit [ Not found ]
- beX2 Rootkit [ Not found ]
- BOBKit Rootkit [ Not found ]
- cb Rootkit [ Not found ]
- CiNIK Worm (Slapper.B variant) [ Not found ]
- Danny-Boy's Abuse Kit [ Not found ]
- Devil RootKit [ Not found ]
- Dica-Kit Rootkit [ Not found ]
- Dreams Rootkit [ Not found ]
- Duarawkz Rootkit [ Not found ]
- Enye LKM [ Not found ]
- Flea Linux Rootkit [ Not found ]
- FreeBSD Rootkit [ Not found ]
- Fu Rootkit [ Not found ]
- Fuck`it Rootkit [ Not found ]
- GasKit Rootkit [ Not found ]
- Heroin LKM [ Not found ]
- HjC Kit [ Not found ]
- ignoKit Rootkit [ Not found ]
- iLLogiC Rootkit [ Not found ]
- IntoXonia-NG Rootkit [ Not found ]
- Irix Rootkit [ Not found ]
- Kitko Rootkit [ Not found ]
- Knark Rootkit [ Not found ]
- ld-linuxv.so Rootkit [ Not found ]
- Li0n Worm [ Not found ]
- Lockit / LJK2 Rootkit [ Not found ]
- Mood-NT Rootkit [ Not found ]
- MRK Rootkit [ Not found ]
- Ni0 Rootkit [ Not found ]
- Ohhara Rootkit [ Not found ]
- Optic Kit (Tux) Worm [ Not found ]
- Oz Rootkit [ Not found ]
- Phalanx Rootkit [ Not found ]
- Phalanx2 Rootkit [ Not found ]
- Phalanx2 Rootkit (extended tests) [ Not found ]
- Portacelo Rootkit [ Not found ]
- R3dstorm Toolkit [ Not found ]
- RH-Sharpe's Rootkit [ Not found ]
- RSHA's Rootkit [ Not found ]
- Scalper Worm [ Not found ]
- Sebek LKM [ Not found ]
- Shutdown Rootkit [ Not found ]
- SHV4 Rootkit [ Not found ]
- SHV5 Rootkit [ Not found ]
- Sin Rootkit [ Not found ]
- Slapper Worm [ Not found ]
- Sneakin Rootkit [ Not found ]
- 'Spanish' Rootkit [ Not found ]
- Suckit Rootkit [ Not found ]
- SunOS Rootkit [ Not found ]
- SunOS / NSDAP Rootkit [ Not found ]
- Superkit Rootkit [ Not found ]
- TBD (Telnet BackDoor) [ Not found ]
- TeLeKiT Rootkit [ Not found ]
- T0rn Rootkit [ Not found ]
- trNkit Rootkit [ Not found ]
- Trojanit Kit [ Not found ]
- Tuxtendo Rootkit [ Not found ]
- URK Rootkit [ Not found ]
- Vampire Rootkit [ Not found ]
- VcKit Rootkit [ Not found ]
- Volc Rootkit [ Not found ]
- Xzibit Rootkit [ Not found ]
- X-Org SunOS Rootkit [ Not found ]
- zaRwT.KiT Rootkit [ Not found ]
- ZK Rootkit [ Not found ]
- Performing additional rootkit checks
- Suckit Rookit additional checks [ OK ]
- Checking for possible rootkit files and directories [ None found ]
- Checking for possible rootkit strings [ None found ]
- Performing malware checks
- Checking running processes for suspicious files [ None found ]
- Checking for login backdoors [ None found ]
- Checking for suspicious directories [ None found ]
- Checking for sniffer log files [ None found ]
- Performing Linux specific checks
- Checking loaded kernel modules [ OK ]
- Checking kernel module names [ OK ]
- Checking the network...
- Performing checks on the network ports
- Checking for backdoor ports [ None found ]
- Performing checks on the network interfaces
- Checking for promiscuous interfaces [ None found ]
- Checking the local host...
- Performing system boot checks
- Checking for local host name [ Found ]
- Checking for system startup files [ Found ]
- Checking system startup files for malware [ None found ]
- Performing group and account checks
- Checking for passwd file [ Found ]
- Checking for root equivalent (UID 0) accounts [ None found ]
- Checking for passwordless accounts [ None found ]
- Checking for passwd file changes [ None found ]
- Checking for group file changes [ None found ]
- Checking root account shell history files [ OK ]
- Performing system configuration file checks
- Checking for SSH configuration file [ Found ]
- Checking if SSH root access is allowed [ Not allowed ]
- Checking if SSH protocol v1 is allowed [ Not allowed ]
- Checking for running syslog daemon [ Found ]
- Checking for syslog configuration file [ Found ]
- Checking if syslog remote logging is allowed [ Not allowed ]
- Performing filesystem checks
- Checking /dev for suspicious file types [ None found ]
- Checking for hidden files and directories [ Warning ]
- Checking application versions...
- Checking version of GnuPG [ OK ]
- Checking version of OpenSSL [ Warning ]
- Checking version of Procmail MTA [ OK ]
- Checking version of OpenSSH [ Warning ]
- System checks summary
- =====================
- File properties checks...
- Files checked: 135
- Suspect files: 5
- Rootkit checks...
- Rootkits checked : 253
- Possible rootkits: 0
- Applications checks...
- Applications checked: 4
- Suspect applications: 2
- The system checks took: 1 minute and 38 seconds
- All results have been written to the log file (/var/log/rkhunter.log)
- One or more warnings have been found while checking the system.
- Please check the log file (/var/log/rkhunter.log)
相应产生的日志
# cat /var/log/rkhunter.log |grep Warning
- [13:52:20] /sbin/ifdown [ Warning ]
- [13:52:20] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
- [13:52:20] /sbin/ifup [ Warning ]
- [13:52:20] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
- [13:52:34] /usr/bin/groups [ Warning ]
- [13:52:34] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
- [13:52:35] /usr/bin/ldd [ Warning ]
- [13:52:35] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
- [13:52:39] /usr/bin/whatis [ Warning ]
- [13:52:39] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
- [13:53:44] Checking for hidden files and directories [ Warning ]
- [13:53:44] Warning: Hidden directory found: /dev/.udev
- [13:53:44] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
- [13:53:44] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
- [13:53:44] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
- [13:53:44] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
- [13:53:45] Checking version of OpenSSL [ Warning ]
- [13:53:45] Warning: Application 'openssl', version '0.9.8e', is out of date, and possibly a security risk.
- [13:53:45] Checking version of OpenSSH [ Warning ]
- [13:53:45] Warning: Application 'sshd', version '4.3p2', is out of date, and possibly a security risk.
三.修正误报
可以看到上面信息基本为误报
cp /usr/local/rkhunter/etc/rkhunter.conf{,.bak}
网上部分脚本已失效,我对此作了些修改
- sed -i 's/#SCRIPTWHITELIST=\/sbin\/ifup/SCRIPTWHITELIST=\/sbin\/ifup/' /opt/rthunter/etc/rkhunter.conf
- sed -i 's/#SCRIPTWHITELIST=\/sbin\/ifdown/SCRIPTWHITELIST=\/sbin\/ifdown/' /opt/rthunter/etc/rkhunter.conf
- sed -i '/#SCRIPTWHITELIST="\/sbin\/ifup/ {s/^#//g}' /usr/local/rkhunter/etc/rkhunter.conf
- sed -i '/#SCRIPTWHITELIST="\/usr\/bin\/groups"/ {s/^#//g}' /usr/local/rkhunter/etc/rkhunter.conf
- sed -i '/#ALLOWHIDDENDIR="\/dev\/.udev/ {s/^#//g}' /usr/local/rkhunter/etc/rkhunter.conf
- sed -i '/#ALLOWHIDDENFILE="\/usr\/share\/man\/man1\/..1.gz"/ {s/^#//g}' /usr/local/rkhunter/etc/rkhunter.conf
- sed -i '/#ALLOWHIDDENFILE="\/usr\/bin\/.fipscheck.hmac"/ {s/^#//g}' /usr/local/rkhunter/etc/rkhunter.conf
- sed -i '/#ALLOWHIDDENFILE="\/usr\/bin\/.ssh.hmac"/ {s/^#//g}' /usr/local/rkhunter/etc/rkhunter.conf
- sed -i '/#ALLOWHIDDENFILE="\/usr\/sbin\/.sshd.hmac"/ {s/^#//g}' /usr/local/rkhunter/etc/rkhunter.conf
- echo 'SCRIPTWHITELIST=/usr/bin/ldd' >> /usr/local/rkhunter/etc/rkhunter.conf
- echo 'SCRIPTWHITELIST=/usr/bin/whatis' >> /usr/local/rkhunter/etc/rkhunter.conf
- echo 'SCRIPTWHITELIST=/usr/bin/GET' >> /usr/local/rkhunter/etc/rkhunter.conf
- echo 'APP_WHITELIST="openssl:0.9.8e sshd:4.3p2"' >> /usr/local/rkhunter/etc/rkhunter.conf
- #注意openssl和sshd的版本号
再次更新和检测
/usr/local/rkhunter/bin/rkhunter –propupd
- [ Rootkit Hunter version 1.3.8 ]
- File updated: searched for 164 files, found 135
跳过按键只输出warning,不再有显示
/usr/local/rkhunter/bin/rkhunter -c –sk –rwo
四.自动报告
每天5点检测并发送通知邮件
vi /var/spool/cron/root
- 3 5 * * * (/usr/local/rkhunter/bin/rkhunter --cronjob -l --nomow --rwo | mail -s "[rkhunter] report `hostname` `date`" root@localhost)