In this post you will find simple instructions to install rkhunter on FreeBSD which is a root kit “hunter” so your system/s will have some security in place for that kind of unwanted software. But for those who do not know what a rootkit is, let’s give it a simple definition (which you can get more insight in the wikipedia entry).
A rootkit is a piece of software able to get into areas of a computing system it’s not supposed to get into, giving it access to privilege access to certain parts if not all. Dtrace is a very useful tool designed at Sun Microsystems which allowed administrators, developers and hackers in general to see what was going into the kernel thus is considered to be a “benevolent” rootkit. Previously in order to get information in real time of what was going on was only achieved by using certain tools but they weren’t giving a full view of the kernel at work.
If you find the articles in Adminbyaccident.com useful to you, please consider making a donation.
Use this link to get $200 credit at DigitalOcean and support Adminbyaccident.com costs.
Get $100 credit for free at Vultr using this link and support Adminbyaccident.com costs.
Mind Vultr supports FreeBSD on their VPS offer.
Do not think of rkhunter as a piece of software you put in place and you don’t have to do anything else and do not think it only looks at the kernel. It scans system files, the kernel, some commands such as netstat or sockstat, configuration files, etc. As any other piece of software you must keep it up to date, although this is a simple task. Scans can be performed manually but it’s also good to automate not only those but the update process as well.
Let’s see how to install rkhunter on FreeBSD:
As always choose your preferred method on installing software on FreeBSD. We’ll use compiled packages here with the “pkg” tool but if you prefer to compile this you can use the ports collection.
[Cabra@Sovietica]$ pkg search rkhunter
rkhunter-1.4.4 Rootkit detection tool
[Cabra@Sovietica]$
After the obvious message we do the install elevating our privileges with sudo.
[Cabra@Sovietica]$ sudo pkg install rkhunter
Updating FreeBSD repository catalogue...
Fetching meta.txz: 100% 944 B 0.9kB/s 00:01
Fetching packagesite.txz: 100% 6 MiB 6.5MB/s 00:01
Processing entries: 100%
FreeBSD repository update completed. 31604 packages processed.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
rkhunter: 1.4.4
Number of packages to be installed: 1
The process will require 1 MiB more space.
219 KiB to be downloaded.
Proceed with this action? [y/N]: y
[1/1] Fetching rkhunter-1.4.4.txz: 100% 219 KiB 224.7kB/s 00:01
Checking integrity... done (0 conflicting)
[1/1] Installing rkhunter-1.4.4...
[1/1] Extracting rkhunter-1.4.4: 100%
Message from rkhunter-1.4.4:
******************************************************************************
You should keep your rkhunter database up-to-date.
This can be done automatically by putting this line to periodic.conf(5) files:
daily_rkhunter_update_enable="YES"
daily_rkhunter_update_flags="--update --nocolors"
Also, you can run rkhunter as a part of the daily security check by
putting this line to periodic.conf(5) files:
daily_rkhunter_check_enable="YES"
daily_rkhunter_check_flags="--checkall --nocolors --skip-keypress"
******************************************************************************
[Cabra@Sovietica]$
If we want to correctly install rkhunter on FreeBSD we’ll follow the instructions we’re given at installation time. You just have to edit your /etc/periodic.conf file and add the lines you can see above, which are:
daily_rkhunter_update_enable="YES"
daily_rkhunter_update_flags="--update –nocolors"
daily_rkhunter_check_enable="YES"
daily_rkhunter_check_flags="--checkall --nocolors --skip-keypress"
Once rkhunter is installed and the automatic updates and scans are configured we’ll perform an update.
[Cabra@Sovietica]$ sudo rkhunter --update
[ Rootkit Hunter version 1.4.4 ]
Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ Updated ]
Checking file i18n/tr [ Updated ]
Checking file i18n/tr.utf8 [ Updated ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
Checking file i18n/ja [ No update ]
[Cabra@Sovietica]$
Just for fun, and to see what the tool does at scan time you can launch a complete scan.
For that you will type:
[Cabra@Sovietica]$ sudo rkhunter -c
[ Rootkit Hunter version 1.4.4 ]
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
Performing file properties checks
Checking for prerequisites [ Warning ]
/sbin/dmesg [ OK ]
/sbin/fsck [ OK ]
/sbin/ifconfig [ OK ]
/sbin/init [ OK ]
/sbin/md5 [ OK ]
/sbin/mount [ OK ]
/sbin/nologin [ OK ]
/sbin/ping [ OK ]
/sbin/route [ OK ]
/sbin/sha1 [ OK ]
/sbin/sha256 [ OK ]
/sbin/sha384 [ OK ]
/sbin/sha512 [ OK ]
/sbin/sysctl [ OK ]
/sbin/kldload [ OK ]
/sbin/kldstat [ OK ]
/sbin/kldunload [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/cp [ OK ]
/bin/csh [ OK ]
/bin/date [ OK ]
/bin/df [ OK ]
/bin/echo [ OK ]
/bin/ed [ OK ]
/bin/kill [ OK ]
/bin/ls [ OK ]
/bin/mv [ OK ]
/bin/pgrep [ OK ]
/bin/pkill [ OK ]
/bin/ps [ OK ]
/bin/pwd [ OK ]
/bin/sh [ OK ]
/bin/test [ OK ]
/usr/sbin/adduser [ OK ]
/usr/sbin/amd [ OK ]
/usr/sbin/chown [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/cron [ OK ]
/usr/sbin/inetd [ OK ]
/usr/sbin/newsyslog [ OK ]
/usr/sbin/nologin [ OK ]
/usr/sbin/pkg [ OK ]
/usr/sbin/sshd [ OK ]
/usr/sbin/syslogd [ OK ]
/usr/sbin/vipw [ OK ]
/usr/sbin/watch [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/basename [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/du [ OK ]
/usr/bin/egrep [ OK ]
/usr/bin/env [ OK ]
/usr/bin/fgrep [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/fuser [ OK ]
/usr/bin/grep [ OK ]
/usr/bin/groups [ OK ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/ipcs [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/ldd [ OK ]
/usr/bin/less [ OK ]
/usr/bin/locate [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/login [ OK ]
/usr/bin/mail [ OK ]
/usr/bin/mktemp [ OK ]
/usr/bin/more [ OK ]
/usr/bin/netstat [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/pgrep [ OK ]
/usr/bin/pkill [ OK ]
/usr/bin/readlink [ OK ]
/usr/bin/sed [ OK ]
/usr/bin/size [ OK ]
/usr/bin/sockstat [ OK ]
/usr/bin/sort [ OK ]
/usr/bin/ssh [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/su [ OK ]
/usr/bin/systat [ OK ]
/usr/bin/tail [ OK ]
/usr/bin/telnet [ OK ]
/usr/bin/top [ OK ]
/usr/bin/touch [ OK ]
/usr/bin/tr [ OK ]
/usr/bin/uname [ OK ]
/usr/bin/uniq [ OK ]
/usr/bin/users [ OK ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/whatis [ OK ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/usr/bin/fstat [ OK ]
/usr/bin/procstat [ OK ]
/usr/local/sbin/lsof [ OK ]
/usr/local/sbin/pkg [ OK ]
/usr/local/bin/bash [ OK ]
/usr/local/bin/chattr [ OK ]
/usr/local/bin/curl [ OK ]
/usr/local/bin/lsattr [ OK ]
/usr/local/bin/perl [ OK ]
/usr/local/bin/rkhunter [ OK ]
/usr/local/bin/sudo [ OK ]
/usr/libexec/tcpd [ OK ]
/usr/local/etc/rkhunter.conf [ OK ]
[Press <ENTER> to continue]
Checking for rootkits...
Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
Adore Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
Balaur Rootkit [ Not found ]
BeastKit Rootkit [ Not found ]
beX2 Rootkit [ Not found ]
BOBKit Rootkit [ Not found ]
cb Rootkit [ Not found ]
CiNIK Worm (Slapper.B variant) [ Not found ]
Danny-Boy's Abuse Kit [ Not found ]
Devil RootKit [ Not found ]
Dica-Kit Rootkit [ Not found ]
Dreams Rootkit [ Not found ]
Duarawkz Rootkit [ Not found ]
Enye LKM [ Not found ]
Flea Linux Rootkit [ Not found ]
FreeBSD Rootkit [ Not found ]
Fu Rootkit [ Not found ]
Fuck`it Rootkit [ Not found ]
GasKit Rootkit [ Not found ]
Heroin LKM [ Not found ]
HjC Kit [ Not found ]
ignoKit Rootkit [ Not found ]
IntoXonia-NG Rootkit [ Not found ]
Irix Rootkit [ Not found ]
Jynx Rootkit [ Not found ]
KBeast Rootkit [ Not found ]
Kitko Rootkit [ Not found ]
Knark Rootkit [ Not found ]
ld-linuxv.so Rootkit [ Not found ]
Li0n Worm [ Not found ]
Lockit / LJK2 Rootkit [ Not found ]
Mood-NT Rootkit [ Not found ]
MRK Rootkit [ Not found ]
Ni0 Rootkit [ Not found ]
Ohhara Rootkit [ Not found ]
Optic Kit (Tux) Worm [ Not found ]
Oz Rootkit [ Not found ]
Phalanx Rootkit [ Not found ]
Phalanx2 Rootkit [ Not found ]
Portacelo Rootkit [ Not found ]
R3dstorm Toolkit [ Not found ]
RH-Sharpe's Rootkit [ Not found ]
RSHA's Rootkit [ Not found ]
Scalper Worm [ Not found ]
Sebek LKM [ Not found ]
Shutdown Rootkit [ Not found ]
SHV4 Rootkit [ Not found ]
SHV5 Rootkit [ Not found ]
Sin Rootkit [ Not found ]
Slapper Worm [ Not found ]
Sneakin Rootkit [ Not found ]
'Spanish' Rootkit [ Not found ]
Suckit Rootkit [ Not found ]
Superkit Rootkit [ Not found ]
TBD (Telnet BackDoor) [ Not found ]
TeLeKiT Rootkit [ Not found ]
T0rn Rootkit [ Not found ]
trNkit Rootkit [ Not found ]
Trojanit Kit [ Not found ]
Turtle Rootkit [ Not found ]
Tuxtendo Rootkit [ Not found ]
URK Rootkit [ Not found ]
Vampire Rootkit [ Not found ]
VcKit Rootkit [ Not found ]
Volc Rootkit [ Not found ]
Xzibit Rootkit [ Not found ]
zaRwT.KiT Rootkit [ Not found ]
ZK Rootkit [ Not found ]
[Press <ENTER> to continue]
Performing additional rootkit checks
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ None found ]
Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for login backdoors [ None found ]
Checking for sniffer log files [ None found ]
Checking for suspicious directories [ None found ]
Performing trojan specific checks
Checking for enabled inetd services [ OK ]
Performing FreeBSD specific checks
Checking sockstat and netstat commands [ OK ]
Checking for KLD backdoors [ OK ]
Checking package database [ Skipped ]
[Press <ENTER> to continue]
Checking the network...
Performing checks on the network ports
Checking for backdoor ports [ None found ]
Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]
Checking the local host...
Performing system boot checks
Checking for local host name [ Found ]
Checking for system startup files [ Found ]
Checking system startup files for malware [ None found ]
Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ Warning ]
Checking for group file changes [ Warning ]
Checking root account shell history files [ OK ]
Performing system configuration file checks
Checking for an SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Not set ]
Checking if SSH protocol v1 is allowed [ Not set ]
Checking for a running system logging daemon [ Found ]
Checking for a system logging configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]
Performing filesystem checks
Checking /dev for suspicious file types [ None found ]
Checking for hidden files and directories [ None found ]
[Press <ENTER> to continue]
System checks summary
=====================
File properties checks...
Required commands check failed
Files checked: 118
Suspect files: 0
Rootkit checks...
Rootkits checked : 477
Possible rootkits: 0
Applications checks...
All checks skipped
The system checks took: 3 minutes and 0 seconds
All results have been written to the log file: /var/log/rkhunter.log
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
[Cabra@Sovietica]$
Read the output carefully and discard warnings which do not need actions from our side but there may be others which have to be attended straight away.
This is all to install rkhunter on FreeBSD.
If you find the articles in Adminbyaccident.com useful to you, please consider making a donation.
Use this link to get $200 credit at DigitalOcean and support Adminbyaccident.com costs.
Get $100 credit for free at Vultr using this link and support Adminbyaccident.com costs.
Mind Vultr supports FreeBSD on their VPS offer.