Skip to main content
This section is a work in progress and may be incomplete. The instructions provided should work, but additional details and explanations may be added in future updates.

Why

Rootkits are malicious software that give attackers privileged access to your system while hiding their presence. Rkhunter (Rootkit Hunter) scans for known rootkits, backdoors, and security exploits on your Linux system.

How It Works

Rkhunter performs various security checks including:
  • Scanning for known rootkit files and directories
  • Checking for suspicious strings in kernel modules
  • Verifying file integrity of system commands
  • Detecting hidden files and processes
  • Checking for suspicious network activity

Goals

  • Rkhunter installed and configured to scan for rootkits daily
  • Automatic email notifications when threats are detected

References

Installation and Setup

1

Install Rkhunter

On Debian based systems:
sudo apt install rkhunter
2

Backup the defaults file

Make a backup of rkhunter’s defaults file:
sudo cp -p /etc/default/rkhunter /etc/default/rkhunter-COPY-$(date +"%Y%m%d%H%M%S")
3

Create a local configuration file

Instead of modifying the main configuration file /etc/rkhunter.conf, create and use /etc/rkhunter.conf.local:
sudo cp -p /etc/rkhunter.conf /etc/rkhunter.conf.local
Using a .local configuration file prevents your changes from being overwritten during updates.
4

Configure rkhunter

Edit /etc/rkhunter.conf.local with these recommended settings:
SettingValueNote
UPDATE_MIRRORS1Enable mirror updates
MIRRORS_MODE0Use mirrors for updates
MAIL-ON-WARNINGrootEmail warnings to root
COPY_LOG_ON_ERROR1Save log copy on errors
PKGMGR(varies)Set to your package manager (e.g., DPKG for Debian)
PHALANX2_DIRTEST1Enable additional directory tests
WEB_CMD""Disable web-based updates (Debian package issue workaround)
USE_LOCKING1Prevent multiple simultaneous runs
SHOW_SUMMARY_WARNINGS_NUMBER1Show count of warnings found
Setting WEB_CMD="" addresses an issue with the Debian package that disables rkhunter’s self-update ability.
5

Enable daily scans

On Debian based systems, enable the daily cron jobs. Check /etc/default/rkhunter or use:
sudo dpkg-reconfigure rkhunter
Answer Yes to all questions to enable daily scans and email reports.
6

Validate configuration

Verify all settings are valid:
sudo rkhunter -C
This checks for configuration errors before running scans.
7

Update rkhunter

Update rkhunter and its database:
sudo rkhunter --versioncheck
sudo rkhunter --update
sudo rkhunter --propupd
  • --versioncheck - Checks for newer versions
  • --update - Updates the detection signatures
  • --propupd - Updates the file properties database

Manual Scanning

To perform a manual scan and see the output interactively: 
sudo rkhunter --check
This will scan your system and display results. Press Enter to continue through each section.
Run rkhunter manually after system updates to update its baseline and avoid false positives.

Updating the Database

After making legitimate system changes (like kernel updates or installing new software), update rkhunter’s database: 
sudo rkhunter --propupd
This prevents false warnings about changed system files.

Automated Daily Scans

When properly configured, rkhunter will run daily via cron and email you the results. You can customize the scan script or check example scripts at the references above.

Build docs developers (and LLMs) love

Get started for freeTalk to us