I have been asked about rootkits on Linux many times.
Prevention and Monitoring
The best way to keep ones system secure and free of rootkits is to prevent them from being installed on ones system. One way for doing this is not allowing the attacker to have access to the administrative account. Without root access the attacker can't hide their tracks with a rootkit. To monitor a system a technique called file integrity checking is used to detect rootkits fast by looking at the machine for changes. The idea is to make a fingerprint of the machine right after a fresh install and after a newly installed program. A fingerprint is a cryptographic hash function which makes a hash that depends on every bit of data in a file. After this hash is made, by calculating and comparing the stored hash value with the current hash value, changes in the data can be detected. Also, there is Linux software which checks the integrity of files on a machine. One example of this type of software is Tripwire which uses a hash function and stores the information about the files in a password protected database. It will alert the user if the files which are being monitored have changed and then the user can see if a rootkit changed that file. However, the best way to prevent rootkits is by practicing smart security, for example, firewalls, good passwords, checking permissions etc
Thank you to Bill Keys for this informative post. Im sure he wont mind me linking to his post because anything that improves security is a good thing.
Bill is an experienced developer with all things open source and holds a BS in Computer Science with a minor in Math from SUNY Plattsburgh. Bill has been utilizing his skills with the Linuxsecurity team for more than year now, and holds the duo of Python and Perl as his tools of choice. And, like the rest of the Linuxsecurity team, Bill also runs Ubuntu for his desktop and EnGarde Linux for his server.
Edited by NickAu1, 23 November 2014 - 07:46 PM.