ISPConfig — Add Warnings to rkhunter Email

If you haven't already...
Set up an Affiliate Account or Set up a Small Business account.
Posted on November 11, 2017 by admin under ISPConfig
Leave a comment

RKHunter is a root kit and malware hunter used to protect your servers.  When RKHunter is executed, it will by default send an email to the configured administrator if any warnings occur. This is nice, but the email doesn’t indicate the issue, it simply says “Please inspect this machine, because it may be infected“.

I wanted the messages from the run as well, so i could easily determine what changed rather than the scary message above.

While looking around, I found the article rkhunter: more verbose email alerts which was very helpful.

Since my environment is running ISPConfig3, the RKHunter job runs from the ispconfig cron system. This means we need to modify the cron job under /usr/local/ispconfig/server/lib/classes/cron.d/, specifically, we will modify the 100-monitor_rkhunter.inc.php file.

In the file, locate line 75, it should match the following;

  • $data[‘output’] = shell_exec(‘rkhunter –update –checkall –nocolors –skip-keypress’);

Immediately following the above line, enter the following text.

if(!is_null($data[‘output’])){
$subj = ‘[rkhunter] warning(s) found.’;
shell_exec(‘echo ‘ . $data[‘output’] . ‘ | mail -s ‘ . $subj . ‘ <your_email@yourdomain.com>’);
}

This works because the warnings are output to the screen.

Make sure you change <your_email@yourdomain.com> with the email address to which you want the report sent.

I am sure there are better ways to do this, and the email addresss should really somehow be pulled from the rkhunter config file as to centralize as much as possible.

I have just made the changes and will need to wait for the cron job to run again, it appears to run daily.

I also need to wait until i get a warning of some type. I would have done more testing, but i am not sure how to manually run the cron job on the command line or in the ispconfig interface. If anyone knows, please post the information below.

 

Leave a Reply

Please Login to comment
  Subscribe  
Notify of