First, it's always recommended to not use only one tool checking for root kits but multiples. Here is how to configure cron jobs to check the system everyday and email you the findings (only if something was found).
First rkhunter:
00 23 * * * (/usr/bin/rkhunter --versioncheck; /usr/bin/rkhunter --update; /usr/bin/rkhunter --cronjob --report-warnings-only)
This will first check for latest version of rkhunter (--versioncheck), check for updates to database files (--update) and then run rkhunter.
You can enter email address which should receive a message if something was found in /etc/rkhunter.conf:
MAIL-ON-WARNING=henri.benoit@gmail.com xxx.xxx@googlemail.com
Now chkrootkit:
00 23 * * * /usr/sbin/chkrootkit -q | grep -v "bindshell.*465)" > /tmp/chkrootkit.log && [ -s /tmp/chkrootkit.log ] && mail -s 'chkrootkit findings' henri.benoit@gmail.com xxx.xxx@googlemail.com < /tmp/chkrootkit.log
The grep -v part is only there because chkrootkit keep reporting that port 465 is infected when it is actually just postfix running... Other than that, the crontab line above will scan the system, write a log file and mail the contents of the log file if not empty.
First rkhunter:
00 23 * * * (/usr/bin/rkhunter --versioncheck; /usr/bin/rkhunter --update; /usr/bin/rkhunter --cronjob --report-warnings-only)
This will first check for latest version of rkhunter (--versioncheck), check for updates to database files (--update) and then run rkhunter.
You can enter email address which should receive a message if something was found in /etc/rkhunter.conf:
MAIL-ON-WARNING=henri.benoit@gmail.com xxx.xxx@googlemail.com
Now chkrootkit:
00 23 * * * /usr/sbin/chkrootkit -q | grep -v "bindshell.*465)" > /tmp/chkrootkit.log && [ -s /tmp/chkrootkit.log ] && mail -s 'chkrootkit findings' henri.benoit@gmail.com xxx.xxx@googlemail.com < /tmp/chkrootkit.log
The grep -v part is only there because chkrootkit keep reporting that port 465 is infected when it is actually just postfix running... Other than that, the crontab line above will scan the system, write a log file and mail the contents of the log file if not empty.
No comments:
Post a Comment