{"id":422,"date":"2021-02-08T07:32:26","date_gmt":"2021-02-08T06:32:26","guid":{"rendered":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/?p=422"},"modified":"2021-02-08T07:32:47","modified_gmt":"2021-02-08T06:32:47","slug":"rkhunter-detection-de-rootkit-sur-linux-debian","status":"publish","type":"post","link":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/rkhunter-detection-de-rootkit-sur-linux-debian\/","title":{"rendered":"rkhunter – detection de rootkit sur linux debian"},"content":{"rendered":"

\"rkhunter\"<\/p>\n

rkhunter est un programme permetant de d\u00e9tecter les rootkits, portes d\u00e9rob\u00e9es et exploits. Pour cela, il compare les hash SHA-256, SHA-512, SHA1 et MD5 des fichiers importants avec les hash connus, qui sont accessibles \u00e0 partir d’une base de donn\u00e9es en ligne (Wikip\u00e9dia). Ce tutoriel, l’installation et les commandes de base.<\/p>\n

<\/p>\n

INSTALLATION<\/h2>\n

Pour installer RKhunter, rien de plus simple, Par d\u00e9faut, la configuration se situe dans le fichier \/etc\/rkhunter.conf.<\/p>\n

# apt-get install rkhunter tripwire unhide libhttp-date-perl libcryptx-perl libdigest-sha-perl libencode-locale-perl libhttp-message-perl libio-html-perl liblwp-mediatypes-perl liburi-perl libfile-listing-perl libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl libhttp-cookies-perl libhttp-negotiate-perl libio-socket-ssl-perl liblwp-protocol-https-perl libnet-http-perl libnet-ssleay-perl libtry-tiny-perl libwww-perl libwww-robotrules-perl perl-openssl-defaults libdigest-whirlpool-perl\n<\/code><\/pre>\n
CONFIGURATION<\/h2>\n
Editer la configuration de rkhunter suivante :<\/p>\n
Dans \/etc\/default\/rkhunter :<\/p>\n
# vi \/etc\/default\/rkhunter\n<\/code><\/pre>\n
# Set this to the email address where reports and run output should be sent\nREPORT_EMAIL=\"root\"\n# Set this to yes to enable rkhunter weekly database updates\nCRON_DB_UPDATE=\"yes\"\n# Set this to yes to enable reports of weekly database updates\nDB_UPDATE_EMAIL=\"no\"\n# Set this to yes to enable rkhunter daily runs\nCRON_DAILY_RUN=\"yes\"\n# Nicenesses range from -20 (most favorable scheduling) to 19 (least favorable).\nNICE=\"0\"\n<\/code><\/pre>\n
et dans \/etc\/rkhunter.conf :<\/p>\n
# vi \/etc\/rkhunter.conf\n\nWEB_CMD=\nUPDATE_MIRRORS=1\nMIRRORS_MODE=0\nDISABLE_TESTS=\"suspscan hidden_procs deleted_files packet_cap_apps apps os_specific\"\nALLOW_SSH_ROOT_USER=yes\nSCRIPTWHITELIST=\/usr\/bin\/unhide\n<\/code><\/pre>\n
UTILISATION<\/h2>\n
V\u00e9rifier que vous avez la derni\u00e8re version :<\/p>\n
# rkhunter --versioncheck\n[ Rootkit Hunter version 1.4.6 ]\n\nChecking rkhunter version...\n  This version  : 1.4.6\n  Latest version: 1.4.6\n<\/code><\/pre>\n
Mettre \u00e0 jour le programme :<\/p>\n
rkhunter --update\n[ Rootkit Hunter version 1.4.6 ]\n\nChecking rkhunter data files...\n  Checking file mirrors.dat                                  [ Updated ]\n  Checking file programs_bad.dat                             [ No update ]\n  Checking file backdoorports.dat                            [ No update ]\n  Checking file suspscan.dat                                 [ No update ]\n  Checking file i18n\/cn                                      [ Skipped ]\n  Checking file i18n\/de                                      [ Skipped ]\n  Checking file i18n\/en                                      [ No update ]\n  Checking file i18n\/tr                                      [ Skipped ]\n  Checking file i18n\/tr.utf8                                 [ Skipped ]\n  Checking file i18n\/zh                                      [ Skipped ]\n  Checking file i18n\/zh.utf8                                 [ Skipped ]\n  Checking file i18n\/ja                                      [ Skipped ]\n<\/code><\/pre>\n
Lister les diff\u00e9rents tests effectu\u00e9s :<\/p>\n
# rkhunter --list\n<\/code><\/pre>\n
Effectuer une v\u00e9rification :<\/p>\n
# rkhunter --checkall --skip-keypress\n<\/code><\/pre>\n
Des fichiers peuvent \u00eatre consid\u00e9r\u00e9s comme suspects si la base de donn\u00e9es n’est pas \u00e0 jour, dans ce cas vous devez lancer :<\/p>\n
# rkhunter --propupd\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
rkhunter est un programme permetant de d\u00e9tecter les rootkits, portes d\u00e9rob\u00e9es et exploits. Pour cela, il compare les hash SHA-256, SHA-512, SHA1 et MD5 des fichiers importants avec les hash connus, qui sont accessibles \u00e0 partir d’une base de donn\u00e9es en ligne (Wikip\u00e9dia). Ce tutoriel, l’installation et les commandes de base.<\/p>\n","protected":false},"author":13,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[11,58],"tags":[2,60,59],"class_list":["post-422","post","type-post","status-publish","format-standard","hentry","category-linux","category-rootkit","tag-linux","tag-rkhunter","tag-rootkit"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/paBEVZ-6O","jetpack_likes_enabled":false,"_links":{"self":[{"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/posts\/422","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/comments?post=422"}],"version-history":[{"count":1,"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/posts\/422\/revisions"}],"predecessor-version":[{"id":423,"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/posts\/422\/revisions\/423"}],"wp:attachment":[{"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/media?parent=422"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/categories?post=422"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/homepages.lcc-toulouse.fr\/colombet\/wp-json\/wp\/v2\/tags?post=422"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}