Install rkhunter (Rootkit Hunter)

rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD.

Install RKHunter which is the Rootkit Detection tool

Install from EPEL

# yum – -enablerepo=epel -y install rkhunter

# nano /etc/sysconfig/rkhunter
Recipient address for report


If specified “yes”, scan more detaily


Update database

# rkhunter – -update

Update system file properties

# rkhunter – -propupd

Execute checking
–sk means sikpping to push Enter key.
If specified –rwo , display only warnings

# rkhunter – -check – -sk

How to force sshd server to display login banner

Pre login banner is use for sending a warning message before authentication may be relevant for getting legal protection or just give out information to users. The contents of the specified file are sent to the remote user before authentication is allowed. This option is only available for protocol version 2. By default, no banner is displayed (if you are using latest version of Linux/UNIX then you do not have to worry about version issue).

Procedure to change OpenSSH pre login banner

1) By default sshd server turns off this feature.

2) Login as the root user; create your login banner file:

# vi /etc/ssh/sshd-banner

Append text:
Welcome to nixCraft Remote Login!

3) Open sshd configuration file /etc/sshd/sshd_config using a text editor:

# vi /etc/sshd/sshd_config

4) Add/edit the following line:

Banner /etc/ssh/sshd-banner

5) Save file and restart the sshd server:

# /etc/init.d/sshd restart

Arpwatch Tool to Monitor Ethernet Activity in Linux


Arpwatch is an open source computer software program that helps you to monitor Ethernet traffic activity (like Changing IP and MAC Addresses) on your network and maintains a database of ethernet/ip address pairings. It produces a log of noticed pairing of IP and MAC addresses information along with a timestamps, so you can carefully watch when the pairing activity appeared on the network. It also has the option to send reports via email to an network administrator when a pairing added or changed.

This tool is specially useful for Network administrators to keep a watch on ARP activity to detect ARP spoofing or unexpected IP/MAC addresses modifications.

By default, Arpwatch tool is not installed on any Linux distributions. We must install it manually using ‘yum‘ command on RHEL, CentOS, Fedora and ‘apt-get‘ on Ubuntu, Linux Mint and Debian.

# yum install arpwatch

Let’s focus on the some most important arpwatch files, the location of the files are slightly differ based on your operating system.

  1. /etc/rc.d/init.d/arpwatch : The arpwatch service for start or stop daemon.
  2. /etc/sysconfig/arpwatch : This is main configuration file…
  3. /usr/sbin/arpwatch : Binary command to starting and stopping tool via the terminal.
  4. /var/arpwatch/arp.dat : This is the main database file where IP/MAC addresses are recorded.
  5. /var/log/messages : The log file, where arpwatch writes any changes or unusual activity to IP/MAC.

Type the following command to start the arpwatch service.

# chkconfig --level 35 arpwatch on
# /etc/init.d/arpwatch start

Arpwatch Commands and Usage

To watch a specific interface, type the following command with ‘-i‘ and device name.

# arpwatch -i eth0

So, whenever a new MAC is plugged or a particular IP is changing his MAC address on the network, you will notice syslog entries at ‘/var/log/syslog‘ or ‘/var/log/message‘ file.

# tail -f /var/log/messages

You can also check current ARP table, by using following command.

# arp -a

If you want to send alerts to your custom email id, then open the main configuration file ‘/etc/sysconfig/arpwatch‘ and add the email as shown below.

# -u <username> : defines with what user id arpwatch should run
# -e <email>    : the <email> where to send the reports
# -s <from>     : the <from>-address
OPTIONS="-u arpwatch -e -s 'root (Arpwatch)'"