A rootkit is a malicious software designed to obtain root-level access to a computer while hiding its presence or identity from antivirus software. Common ways for rootkits to get installed on your system are through trojan horses contained in drive-by downloads, known system vulnerabilities, suspicious email attachments, web surfing, or simply by password cracking.
On Linux, there are several rootkit scanner tools that help project against known or potential rootkits. One such rootkit detection tool is called Rootkit Hunter (rkhunter).
Install rkhunter on Ubuntu:
$ sudo apt-get install rkhunter
To perform rootkit scanning on FLEX, simply run the following.
$ sudo rkhunter -c
Once rkhunter is initiated, it will go ahead and run a series of tests as follows.
Once scanning is completed, rkhunter stores the result in /var/log/rkhunter.log. We can check for any warning and results something like this:
System checks summary ===================== Rootkit checks... Rootkits checked : 310 Possible rootkits: 2 Rootkit names : SHV4 Rootkit, SHV5 Rootkit Applications checks... All checks skipped The system checks took: 1 minute and 54 seconds All results have been written to the log file: /var/log/rkhunter.log One or more warnings have been found while checking the system. Please check the log file (/var/log/rkhunter.log)
Rootkit Hunter relies on a set of database files to detect rootkits. If we would like to check if the database files are up-to-date, simply run rkhunter with "--update" option. If there is a newer version of the database files, it will automatically fetch up-to-date database files using wget.
$ sudo rkhunter --update [ Rootkit Hunter version 1.4.0 ] Checking rkhunter data files... Checking file mirrors.dat [ No update ] Checking file programs_bad.dat [ No update ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ No update ] Checking file i18n/de [ No update ] Checking file i18n/en [ No update ] Checking file i18n/tr [ No update ] Checking file i18n/tr.utf8 [ No update ] Checking file i18n/zh [ No update ] Checking file i18n/zh.utf8 [ No update ]
We also set up firewall for FLEX to protect it from any outsider's attacks. The software to perform firewall management in Ubuntu is UFW.
$ sudo ufw enable
By defaults, we deny all incoming connections and allow all outgoing connections.
$ sufo ufw default deny incoming $ sudo ufw default allow outgoing
And then, we open some specific standard ports used for communications:
$ sudo ufw allow ssh $ sudo ufw allow ftp and so on.
We found recently that some ports still can be explored by outsiders. We therefore add the following rules:
$ sudo ufw deny out 3724 $ sudo ufw deny 40000:60000/tcp $ sudo ufw deny 40000:60000/udp
To check the firewall status, use the following command:
$ sudo ufw status verbose