Scanning server for malicious tools with rkhunter

rkhunter Log

rkhunter (Rootkit Hunter) is a security tool that scans for the presence of rootkits, backdoors and other unwanted tools. Also, it allows additional security scans like: check for wrong file permissions for binaries, MD5 hash compare, look for hidden files and others.

This post provides instructions how to setup and configure rkhunder to run I automatically every day on servers running Linux or Unix.

To install rkhunter, download the latest version from project page. Once the archive is downloaded: extract it and launch the installation script:

tar xvf rkhunter-*.tar.gz
cd rkhunter-*
./ --layout default --install

After that rebuild rkhunter file properties database:

rkhunter --propupd
less /var/log/rkhunter.log

The configuration of this security tool could be done by editing the file /etc/rkhunter.conf. On this file the below parameters should be altered to remind sysadmin about security:


E-mail a message to this address if a warning is found.

Check if SSH daemon configuration is secured by checking the options PermitRootLogin and Protocol. This security measures are applied in article Secure existing OpenSSH installation

To setup daily reporting with rkhunter, issue the command:

cat << EOF >/etc/cron.daily/01-rkhunter
/usr/local/bin/rkhunter --cronjob --update --versioncheck --rwo && echo ""
) | /bin/mail -s "Rkhunter daily run on ip.address" root
exit 0

The above code will create a shell script named 01-rkhunter in /etc/cron.daily directory. This script will be executed daily by cron.

Finally, the correct permission should be set:

chmod 700 /etc/cron.daily/01-rkhunter