Difference between revisions of "Rkhunter"

From OnnoWiki
Jump to navigation Jump to search
(Created page with "sumber: https://www.digitalocean.com/community/tutorials/how-to-use-rkhunter-to-guard-against-rootkits-on-an-ubuntu-vps Status: Deprecated This article covers a version...")
 
Line 1: Line 1:
 
sumber: https://www.digitalocean.com/community/tutorials/how-to-use-rkhunter-to-guard-against-rootkits-on-an-ubuntu-vps
 
sumber: https://www.digitalocean.com/community/tutorials/how-to-use-rkhunter-to-guard-against-rootkits-on-an-ubuntu-vps
  
 +
==Intro==
  
 +
Salah satu perhatian potensial adalah rootkit. Rootkit adalah perangkat lunak yang diam-diam diinstal oleh penyusup jahat yang memungkinkan pengguna tersebut melanjutkan akses ke server setelah keamanan dilanggar. Ini adalah masalah yang sangat berbahaya, karena bahkan setelah masuknya vektor yang pengguna awalnya gunakan untuk mendapatkan akses adalah tetap, mereka dapat terus masuk ke server menggunakan rootkit yang mereka pasang.
  
 +
Salah satu alat yang bisa membantu anda melindungi sistem anda dari masalah seperti ini adalah rkhunter. Perangkat lunak ini memeriksa sistem anda terhadap database rootkit yang diketahui. Selain itu, ia dapat memeriksa file sistem lain untuk memastikannya sesuai dengan properti dan nilai yang diharapkan.
  
 +
==Compile RKHunter==
  
Status: Deprecated
+
Instal aplikasi pendukung
 
 
This article covers a version of Ubuntu that is no longer supported. If you are currently operate a server running Ubuntu 12.04, we highly recommend upgrading or migrating to a supported version of Ubuntu:
 
•Upgrade to Ubuntu 14.04.
 
•Upgrade from Ubuntu 14.04 to Ubuntu 16.04
 
•Migrate the server data to a supported version
 
 
 
Reason: Ubuntu 12.04 reached end of life (EOL) on April 28, 2017 and no longer receives security patches or updates. This guide is no longer maintained.
 
 
 
See Instead:
 
This guide might still be useful as a reference, but may not work on other Ubuntu releases. If available, we strongly recommend using a guide written for the version of Ubuntu you are using. You can use the search functionality at the top of the page to find a more recent version.
 
 
 
 
 
Introduction
 
 
 
Exposing any computer to the internet is in some ways risky. There are many ways that your server can be compromised or attacked by remote systems and malicious software, and it is an ongoing and proactive process to defend yourself against potential threats.
 
 
 
One potential concern is rootkits. Rootkits are software secretly installed by a malicious intruder to allow that user continued access to the server once security is breached. This is an extremely dangerous problem, because even after the entry vector that the user originally used to gain access is fixed, they can continue to enter the server using the rootkit they installed.
 
 
 
One tool that can help you protect your system from these kinds of problems is rkhunter. This software checks your system against a database of known rootkits. Additionally, it can check other system files to make sure they are in line with expected properties and values.
 
 
 
In this guide, we will install and configure rkhunter to protect our Ubuntu 12.04 VPS.
 
 
 
 
 
Install RKHunter from Source
 
 
 
Because the Ubuntu repositories have an outdated version of rkhunter which contains an unpatched bug, we will be installing from source so that our program will behave properly.
 
 
 
Change to your home directory and download the files. As of this writing, 1.4.0 is the latest version, but you can go to the project's home page to see if a newer version is available:
 
 
 
cd
 
wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz
 
  
 +
sudo apt-get update
 +
sudo apt-get install binutils libreadline5 libruby1.8 ruby ruby1.8 ssl-cert unhide.rb mailutils
  
Once it has finished downloaded, extract the files and enter the resulting directory:
+
Cek versi terakhir rkhunter di www.sf.net, saat rkhunter di coba versinya adalah 1.4.2
  
 +
cd /usr/loca/src
 +
wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz
 
  tar xzvf rkhunter*
 
  tar xzvf rkhunter*
 
  cd rkhunter*
 
  cd rkhunter*
Line 50: Line 27:
  
  
This will install the software and the configuration files.
+
Untuk testing set "Local Only".
 
+
Untuk operasional perlu set FQDN.
Now, we have rkhunter installed, but we still need some utilities to use all of its functionality. We can get these from the Ubuntu repositories:
 
 
 
sudo apt-get update
 
sudo apt-get install binutils libreadline5 libruby1.8 ruby ruby1.8 ssl-cert unhide.rb mailutils
 
 
 
 
 
You will be asked some questions about the mail server setup. You can configure this if you'd like, but for the sake of brevity, we will not be configuring a web-facing mail server. Select "Local only" to follow our example.
 
 
 
If you are installing locally, you can name the system mail anything. Otherwise, make sure to use a fully qualified domain name.
 
 
 
Now, our software is installed and ready for testing and configuration.
 
 
 
 
 
Initial Test Runs
 
  
Before we begin configuration, we will do a few test runs with the default settings to get an idea of how the software operates and set a baseline against which to guide our modifications.
+
==Cek Konfigurasi==
  
The first thing we should do is ensure that our rkhunter version is up-to-date. If you did get the latest tarball from the site, it shouldn't need to do anything, but it's best to check anyways:
+
Cek
  
 
  sudo rkhunter --versioncheck
 
  sudo rkhunter --versioncheck
Line 80: Line 43:
 
   
 
   
  
Next, we need to perform a similar option to update our data files. These files contain information that rkhunter checks against to determine if a file or behavior is suspicious or not. Keeping these files current is essential for accurately assessing your system:
+
Update data file
  
 
  sudo rkhunter --update
 
  sudo rkhunter --update
  
 +
Set properties update / baseline
  
With our database files refreshed, we can set our baseline file properties so that rkhunter can alert us if any of the essential configuration files it tracks are altered. We need to tell rkhunter to check the current values and store them as known-good values:
+
sudo rkhunter --propupd
  
  sudo rkhunter --propupd
+
  File created: searched for 167 files, found 136
  
File created: searched for 167 files, found 136
 
  
 +
==Run==
  
Finally, we are ready to perform our initial run. This will produce some warnings. This is expected behavior, because rkhunter is configured to be generic and Ubuntu diverges from the expected defaults in some places. We will tell rkhunter about these afterwards:
+
Jalankan
  
 
  sudo rkhunter -c --enable all --disable none
 
  sudo rkhunter -c --enable all --disable none
  
 +
Dia akan menjalan test per section.
  
It will run one section of tests and then ask you to press enter to continue. You can review the warnings that were produced as you go, but there will be more detailed information in the log afterwards. Press enter until all of the tests are run.
+
Log bisa di baca di
 
 
Now, we should go through the logs and check out all of the warnings that were produced:
 
  
 
  sudo nano /var/log/rkhunter.log
 
  sudo nano /var/log/rkhunter.log
  
 +
Cari kata "Warning".
  
Search the file for the word "Warning". You will see a number of different warnings that are caused by different aspects of our filesystem. We will configure rkhunter to ignore the ones we know are harmless in the next section.
+
Alternative lain, perintahkan rkhunter untuk print warning ke layar
 
 
Some of the changes, like changes to the passwd file, are only showing up because they have been changed by the helper utilities we downloaded with apt. The timestamps on these files are more recent than the rkhunter database files. They will disappear on the next run.
 
 
 
Another alternative to checking the log is to have rkhunter print out only warnings to the screen, instead of all checks:
 
  
 
  sudo rkhunter -c --enable all --disable none --rwo
 
  sudo rkhunter -c --enable all --disable none --rwo
  
  
You can then copy and paste this information somewhere so we can implement the changes in our configuration file.
+
==Edit Konfigurasi RKHunter supaya baik==
  
 
+
Edit
Configure RKHunter Based on Known-Good Values
 
 
 
Now that we have some info on how rkhunter is viewing our system, we can tell it which files and applications to ignore or handle differently in order to avoid false-positives.
 
 
 
Begin by opening the rkhunter configuration file with root privileges:
 
  
 
  sudo nano /etc/rkhunter.conf
 
  sudo nano /etc/rkhunter.conf
  
  
Set Up Mail Notifications
+
Notifikasi email
 
 
The first thing you can do is set up email notifications if you want to receive those when rkhunter hits a warning. You can do this here:
 
  
 
  MAIL-ON-WARNING="your_user@domain.com"
 
  MAIL-ON-WARNING="your_user@domain.com"
  
 
+
atau
If you set up local mail, you can put this to receive mail when you log in as root:
 
  
 
  MAIL-ON-WARNING="root@localhost"
 
  MAIL-ON-WARNING="root@localhost"
 
 
Note, that the mail programs were configured when you installed them, so whether this functions correctly depends on what your choices were.
 
 
A related configuration option specifies the program and options for sending the mail:
 
 
 
  MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
 
  MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
  
  
Whitelist Known Script Files
+
Whitelist File yang baik, contoh
 
 
Next, we will fix the warnings that told us that some of the binary packages on the system have been replaced by scripts. Some distributions (Ubuntu included) use scripted versions of files instead of their binary counterparts.
 
 
 
The four warnings I received were all examples of this. We can set a SCRIPTWHITELIST parameter to tell rkhunter that these are expected to be script files:
 
  
 
  SCRIPTWHITELIST="/usr/sbin/adduser"
 
  SCRIPTWHITELIST="/usr/sbin/adduser"
Line 155: Line 97:
 
  SCRIPTWHITELIST="/bin/which"
 
  SCRIPTWHITELIST="/bin/which"
  
 
+
Whitelist File di /dev, contoh,
This will prevent these files from triggering false positives on all subsequent checks. Note that these whitelists are specific for certain tests, so we are only flagging that we know these files are not supposed to be binary. Other changes can still trigger warnings, which is what we want.
 
 
 
Whitelist Files in the /dev Directory
 
 
 
Certain files in the /dev directory trigger a warning for rkhunter. These are all implementation details that do not actually point to anything wrong. They are supposed to be there and are supported by the distribution.
 
 
 
There are three warning types that we need to deal with. The first one is was a warning that there was a "suspicious file" in the directory. We will specifically allow this file by placing this line in the configuration:
 
  
 
  ALLOWDEVFILE="/dev/.udev/rules.d/root.rules"
 
  ALLOWDEVFILE="/dev/.udev/rules.d/root.rules"
 
 
The next warning we must deal with is that there is a hidden directory in /dev. This is also expected. It is the directory that contained the previous file:
 
 
 
  ALLOWHIDDENDIR="/dev/.udev"
 
  ALLOWHIDDENDIR="/dev/.udev"
 
 
The last warning is for hidden files. These are basic configuration files that are kept in this directory so that the utilities can access them regardless of the partitioning scheme and mount status.
 
 
Add these lines to allow these files to exist:
 
 
 
  ALLOWHIDDENFILE="/dev/.blkid.tab"
 
  ALLOWHIDDENFILE="/dev/.blkid.tab"
 
  ALLOWHIDDENFILE="/dev/.blkid.tab.old"
 
  ALLOWHIDDENFILE="/dev/.blkid.tab.old"
Line 181: Line 106:
  
  
Allow Root SSH Login
+
Ijinkan Root SSH Login, contoh
 
 
The next step is simply an assertion check. When you run rkhunter, it checks a parameter in its configuration file and compares it to the value in the SSHD configuration file.
 
 
 
This option specifies whether the root user can log in using SSH. Many security practices recommend disabling root login. If you have disabled root login, you should leave this parameter as "no".
 
 
 
If you need root login over SSH, you should change this parameter to "yes" so that rkhunter can check this and will mark this setting as valid:
 
  
 
  ALLOW_SSH_ROOT_USER=yes
 
  ALLOW_SSH_ROOT_USER=yes
  
  
Save and close the file when you are finished.
+
==Cek Konfigurasi==
  
 
+
Cek
Check the Configuration
 
 
 
Now that we have configured rkhunter, you need to validate the configuration and check to see that everything is now working as expected.
 
 
 
The first step in this is checking that the configuration file itself is valid. You can run a test on it to see if rkhunter will accept all of the values that you've assigned:
 
  
 
  sudo rkhunter -C
 
  sudo rkhunter -C
  
 
+
Test lagi apakah ada warning
If this gives you any output back, you need to revisit the configuration again to adjust your parameters.
 
 
 
After you've gotten the configuration file in good working order, you can run the test again to see if there are any warnings.
 
  
 
  sudo rkhunter -c --enable all --disable none --rwo
 
  sudo rkhunter -c --enable all --disable none --rwo
  
 
+
Harusnya ada minimsal 1 warning, karena konfigurasi rkhunter sudah di ubah,
This should produce one warning, because our rkhunter configuration itself has been modified:
 
  
 
  Warning: The file properties have changed:
 
  Warning: The file properties have changed:
Line 222: Line 132:
 
           Stored file modification time : 1388442019 (30-Dec-2013 17:20:19)
 
           Stored file modification time : 1388442019 (30-Dec-2013 17:20:19)
  
 
+
Update profile rkhunter
We should have updated the file properties again after modifying this file. Do that now by typing:
 
  
 
  sudo rkhunter --propupd
 
  sudo rkhunter --propupd
  
 +
Cek email untuk notifikasi dari rkhunter
  
After it is finished, you can run the check command again and see that no errors are produced.
+
==Cron==
 
 
Forgetting to update the file properties gives you an option to check the mail notifications if you configured that. Since we configured local mail, we can access the messages by checking the root mailbox:
 
 
 
sudo mail
 
 
 
 
 
You should see a message that you can access by the number in the second column.
 
 
 
You can exit the mail screen by typing:
 
 
 
quit
 
 
 
 
 
If you set up remote email, you can check that too. It may be in your spam folder, so look there if you have not received it in your regular inbox.
 
 
 
 
 
Set Up a Cron Job to Automate Checks
 
 
 
Now that you have configured rkhunter and verified that it is operating correctly, it is probably a good idea to automate the system. We can set up rkhunter to run checks every day so that we have up-to-date information about intrusions.
 
 
 
This is most useful if you can have it email your regular email address, so that you are more likely to check it. Change the MAIL-ON-WARNING parameter in the /etc/rkhunter.conf file to your regular email if you haven't done so already.
 
 
 
We want to run rkhunter with root privileges, as we have been doing, so we should add it to the root user's crontab. It is important to remember not to add it to the system crontab, because this could be replaced in an upgrade and wipe out your changes.
 
 
 
First, we can see if the root user already has a crontab by typing:
 
 
 
sudo crontab -l
 
 
 
 
 
If this returns a crontab, then it is best to back up the file in case we make a mistake. You can do that by typing:
 
 
 
sudo crontab -l > crontab.bak
 
 
 
 
 
Afterwards, we can edit the root user's crontab by issuing this command:
 
  
 
  sudo crontab -e
 
  sudo crontab -e
 
 
If this is the first time you are running this command, it will ask you to choose the editor you would like to use. A safe choice is nano, if you do not have a preference for any of the other editors.
 
 
Afterwards, you will be taken into your editor and your file will be pre-populated with some comments explaining how to write the crontab.
 
 
There are a lot of complex ways to write cron specifications that can run commands at many intervals. For our purposes, we are just going to have to decide what time each day to run the command. As with most services, running it at night is usually optimal:
 
 
The format we will use is minutes hours * * * command. The hours should be written in 24 hour format (for example, 15 for 3pm). The command we want to use is /usr/bin/rkhunter --cronjob --update --quiet.
 
 
So if we want to run this command at 4:15am, we can type at the bottom of the file:
 
 
 
  15 04 * * * /usr/bin/rkhunter --cronjob --update --quiet
 
  15 04 * * * /usr/bin/rkhunter --cronjob --update --quiet
  
 
+
Kalau tidak ada masalah, maka tidak ada email yang akan dikirim
The --cronjob option tells rkhunter to not output in a colored format and to not require interactive key presses. The update option ensures that our definitions are up-to-date. The quiet option suppresses all output.
 
 
 
The cron utility will run this command at 4:15am, and if there is any output, the rkhunter command itself will email our user to alert them. If no problems were found, no email will be received.
 
 
 
 
 
Conclusion
 
 
 
Now that you have rkhunter installed, configured, and automated, it should do the work for you for the most part. Make sure that if you are relying on email alerts, that you check them regularly and respond to any warnings that are produced.
 
 
 
It is also helpful to remember that when you make software changes on your computer, rkhunter may report differences in its next run. It is recommended that after you make changes, at least run sudo rkhunter --propupd to update rkhunter to the new file properties.
 
 
 
Because this software references known-good values and system states that you have allowed, it is best to install and configure this directly after you have configured most of the software for your installation. Doing so before configuring your software will result in a lot of false positives, while waiting too long can result in intrusion and not knowing if you are whitelisting bad files.
 
 
 
By Justin Ellingwood
 
 
 
 
 
 
 
 
 
 
 
  
  

Revision as of 05:52, 14 June 2017

sumber: https://www.digitalocean.com/community/tutorials/how-to-use-rkhunter-to-guard-against-rootkits-on-an-ubuntu-vps

Intro

Salah satu perhatian potensial adalah rootkit. Rootkit adalah perangkat lunak yang diam-diam diinstal oleh penyusup jahat yang memungkinkan pengguna tersebut melanjutkan akses ke server setelah keamanan dilanggar. Ini adalah masalah yang sangat berbahaya, karena bahkan setelah masuknya vektor yang pengguna awalnya gunakan untuk mendapatkan akses adalah tetap, mereka dapat terus masuk ke server menggunakan rootkit yang mereka pasang.

Salah satu alat yang bisa membantu anda melindungi sistem anda dari masalah seperti ini adalah rkhunter. Perangkat lunak ini memeriksa sistem anda terhadap database rootkit yang diketahui. Selain itu, ia dapat memeriksa file sistem lain untuk memastikannya sesuai dengan properti dan nilai yang diharapkan.

Compile RKHunter

Instal aplikasi pendukung

sudo apt-get update
sudo apt-get install binutils libreadline5 libruby1.8 ruby ruby1.8 ssl-cert unhide.rb mailutils

Cek versi terakhir rkhunter di www.sf.net, saat rkhunter di coba versinya adalah 1.4.2

cd /usr/loca/src
wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz
tar xzvf rkhunter*
cd rkhunter*


Inside, we should see a "files" directory, and an installer script. We will use this to install our program. Specify the layout to install it in the /usr directory so that it will be in our default path:

sudo ./installer.sh --layout /usr --install


Untuk testing set "Local Only". Untuk operasional perlu set FQDN.

Cek Konfigurasi

Cek

sudo rkhunter --versioncheck
[ Rootkit Hunter version 1.4.0 ]

Checking rkhunter version...
  This version  : 1.4.0
  Latest version: 1.4.0

Update data file

sudo rkhunter --update

Set properties update / baseline

sudo rkhunter --propupd
File created: searched for 167 files, found 136


Run

Jalankan

sudo rkhunter -c --enable all --disable none

Dia akan menjalan test per section.

Log bisa di baca di

sudo nano /var/log/rkhunter.log

Cari kata "Warning".

Alternative lain, perintahkan rkhunter untuk print warning ke layar

sudo rkhunter -c --enable all --disable none --rwo


Edit Konfigurasi RKHunter supaya baik

Edit

sudo nano /etc/rkhunter.conf


Notifikasi email

MAIL-ON-WARNING="your_user@domain.com"

atau

MAIL-ON-WARNING="root@localhost"
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"


Whitelist File yang baik, contoh

SCRIPTWHITELIST="/usr/sbin/adduser"
SCRIPTWHITELIST="/usr/bin/ldd"
SCRIPTWHITELIST="/usr/bin/unhide.rb"
SCRIPTWHITELIST="/bin/which"

Whitelist File di /dev, contoh,

ALLOWDEVFILE="/dev/.udev/rules.d/root.rules"
ALLOWHIDDENDIR="/dev/.udev"
ALLOWHIDDENFILE="/dev/.blkid.tab"
ALLOWHIDDENFILE="/dev/.blkid.tab.old"
ALLOWHIDDENFILE="/dev/.initramfs"


Ijinkan Root SSH Login, contoh

ALLOW_SSH_ROOT_USER=yes


Cek Konfigurasi

Cek

sudo rkhunter -C

Test lagi apakah ada warning

sudo rkhunter -c --enable all --disable none --rwo

Harusnya ada minimsal 1 warning, karena konfigurasi rkhunter sudah di ubah,

Warning: The file properties have changed:
         File: /etc/rkhunter.conf
         Current hash: fa8ad80a18100e669be507e69d0cbb88348fc07d
         Stored hash : f9015108a2f6d8044126351cf16235c55993ff7a
         Current inode: 2098189    Stored inode: 2100424
         Current size: 37607    Stored size: 37359
         Current file modification time: 1388443781 (30-Dec-2013 17:49:41)
         Stored file modification time : 1388442019 (30-Dec-2013 17:20:19)

Update profile rkhunter

sudo rkhunter --propupd

Cek email untuk notifikasi dari rkhunter

Cron

sudo crontab -e
15 04 * * * /usr/bin/rkhunter --cronjob --update --quiet

Kalau tidak ada masalah, maka tidak ada email yang akan dikirim



Referensi