How to Install and Run Rootkit Hunter on AlmaLinux VPS

This article provides a guide for how to install and run Rootkit Hunter on AlmaLinux VPS.

What is Rootkit Hunter?

Rootkit Hunter (often abbreviated rkhunter) is a free, open-source security tool for Unix/Linux systems. It’s designed to detect rootkits, backdoors, and local exploits by scanning the system for known signatures, suspicious file changes, and abnormal behaviors.

Here’s a breakdown:

🔍 What It Does

• Rootkit detection: Looks for signatures of known rootkits (collections of malicious tools that let attackers maintain privileged access while hiding their presence).
• File integrity checks: Compares system binaries against a baseline (hashes, permissions, timestamps) to detect tampering.
• Suspicious file/directory detection: Flags hidden files, unusual directories, or unexpected entries in /dev, /tmp, etc.
• Kernel module checks: Scans for suspicious or unexpected loaded kernel modules.
• Configuration checks: Warns if file permissions or system settings deviate from security best practices.

🛠️ How It Works

• Maintains a database of known good properties (using --propupd) and compares against it on subsequent scans.
• Uses pattern matching and heuristics to flag items commonly associated with rootkits.
• Runs manually (rkhunter --check) or automatically (via cron or systemd timers).
• Generates logs and can send email alerts if warnings are found.

⚠️ Important Notes

• It’s not an antivirus — it doesn’t remove threats automatically.
• Some alerts may be false positives (e.g., custom binaries, kernel modules), so results need to be reviewed by an administrator.
• Best used as part of a layered defense strategy alongside intrusion detection systems (IDS), log monitoring, patch management, and firewalling.

👉 In short: Rootkit Hunter is a host-based intrusion detection scanner that helps sysadmins spot early signs of compromise by monitoring for rootkits and related security anomalies.

How to Install and Run Rootkit Hunter on AlmaLinux VPS

Tested approach: AlmaLinux 8/AlmaLinux 9 (RHEL-compatible). Commands assume you have a root shell (or sudo where shown). If you’re on a minimal system, ensure dnf and networking are available.

1. Quick summary / what this does

   • rkhunter (Rootkit Hunter) scans for rootkits, backdoors, local exploits and suspicious file/permission changes by checking file hashes, known signatures and common indicators. It’s a host-based scanner and complements other security controls.

2. Install via EPEL (recommended, easiest)

   1. Enable EPEL and update package metadata:

      sudo dnf install -y epel-release sudo dnf makecache

   2. Install rkhunter:

      sudo dnf install -y rkhunter

   3. Verify installation:

      rkhunter --version
      

      Notes:

      • On RHEL-derivatives (AlmaLinux/Rocky) rkhunter is commonly provided via EPEL—this is the simplest and recommended route.

3. Alternate: install from source (if you need latest upstream)

   If your distro package is old or not available:

   cd /usr/local/src sudo wget https://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz sudo tar xzf rkhunter-1.4.6.tar.gz cd rkhunter-1.4.6 sudo ./installer.sh --layout default --install

   Then confirm with:

   /usr/local/bin/rkhunter --version

   (Replace version numbers with the current upstream release found on the project site.)

4. Initial configuration and database update

   1. Update the rkhunter data files (signatures & props database):

      sudo rkhunter --update

   2. Create the properties database (baseline) — do this when the system is known-good:

      sudo rkhunter --propupd
      

      • --propupd records current file properties (hashes/permissions) so future scans can detect changes.
   3. Examine main config file:

      sudo cp /etc/rkhunter.conf /etc/rkhunter.conf.orig
      sudo vi /etc/rkhunter.conf
      

      Common options to check/edit:

      • MAIL-ON-WARNING (address to receive alerts)
      • LOGFILE=/var/log/rkhunter.log (default)
      • ALLOWHIDDendir / ALLOWHIDDENFILE to whitelist known items
      • SCRIPTWHITELIST / PKGMGR etc. — comments in file explain each option.

      On some packages you may also use /etc/sysconfig/rkhunter (or /etc/default/rkhunter) to set MAILTO for cron/packaged scripts.

5. Run a manual scan (first check)

   Run an interactive scan (output on console and to log):

   sudo rkhunter --check --sk --rwo
   

   Flags:

   • --check : run checks
   • --sk : skip keypress prompts (useful for automation)
   • --rwo : show warnings only (reduces noise)

   After the run, inspect /var/log/rkhunter.log for details:

   sudo less /var/log/rkhunter.log
   

6. Scheduling automatic daily scans

   Two common approaches: the distro package often supplies cron scripts; you can also create a systemd timer for more control.

   1. Use the packaged cron scripts (easy)

      If installed from EPEL, rkhunter often installs /etc/cron.daily/rkhunter and /etc/cron.weekly/rkhunter for updates and checks. Configure mail settings in /etc/sysconfig/rkhunter:

      sudo grep -E 'MAIL|EMAIL' -n /etc/sysconfig/rkhunter || sudo vi /etc/sysconfig/rkhunter # e.g. MAILTO="root@example.com"

      Cron scripts will run under standard daily cron and send output to the configured MAILTO. (This is the common default on RHEL-style systems.)

   2. Create a systemd service + timer (recommended for modern systems)

      Create a service unit /etc/systemd/system/rkhunter-check.service:

      [Unit] Description=Run rkhunter scan [Service] Type=oneshot ExecStart=/usr/bin/rkhunter --check --skip-keypresses --rwo Nice=10

      Create a timer /etc/systemd/system/rkhunter-check.timer to run daily at 03:30:

      [Unit] Description=Daily rkhunter scan [Timer] OnCalendar=*-*-* 03:30:00 Persistent=true [Install] WantedBy=timers.target

      Enable and start:

      sudo systemctl daemon-reload sudo systemctl enable --now rkhunter-check.timer sudo systemctl status rkhunter-check.timer

      If you want updates to be pulled before each scan, add a small script wrapper (e.g., /usr/local/sbin/rkhunter-daily) that runs rkhunter --update then rkhunter --check and point the service ExecStart at that script. Systemd timers have advantages over cron (better logging via journalctl, easier enable/disable).

7. Handling notifications (email)

   • If using cron scripts, set MAILTO in /etc/sysconfig/rkhunter or /etc/default/rkhunter.
   • If running systemd wrapper script, pipe output to mailx or ssmtp:

     /usr/bin/rkhunter --check --skip-keypresses --rwo | /usr/bin/mailx -s "rkhunter report on $(hostname)" security@example.com

     Make sure an MTA or ssmtp/msmtp is configured to deliver mail.

8. Dealing with false positives (whitelisting)

   Rkhunter will sometimes flag legitimate items (e.g., custom kernel modules, locally compiled binaries, unusual permission but expected files). Best practice:

   1. Inspect /var/log/rkhunter.log to confirm details.
   2. If safe, add entries to /etc/rkhunter.conf or the whitelist files:
   • ALLOWHIDDENFILE=/path/to/file
   • ALLOWHIDDENDIR=/path/to/dir
   • SCRIPTWHITELIST=/path/to/script
   1. If a file’s permission change is expected, update the baseline:

   sudo rkhunter --propupd
   

   Document all whitelist entries (why they were whitelisted and who approved) — don’t just accept them silently.

9. Common troubleshooting & tips

   • Run as root — rkhunter needs root privileges to check system binaries and kernel modules.
   • SELinux — AlmaLinux defaults to SELinux enforcing. rkhunter may show SELinux-related warnings. These are usually informational; inspect the log. If SELinux blocks execution, view audit.log (/var/log/audit/audit.log) and use audit2why/ausearch to investigate.
   • Outdated data files — run rkhunter --update regularly; keep the package updated via dnf update rkhunter.
   • Network access for updates — ensure your VPS can reach rkhunter mirrors (no restrictive egress firewall blocking HTTP/HTTPS to SourceForge/mirrors).
   • Log rotation — ensure /var/log/rkhunter.log is rotated by logrotate; check /etc/logrotate.d/ for existing config.
   • Version check — upstream project site lists latest recommended version; consider source install if distro package is old.

10. Example: small wrapper script (update → run → email)

    Create /usr/local/sbin/rkhunter-daily:

    #!/bin/bash set -euo pipefail LOG=/var/log/rkhunter-daily-$(date +%F).log /usr/bin/rkhunter --update >> "$LOG" 2>&1 /usr/bin/rkhunter --check --skip-keypresses --rwo >> "$LOG" 2>&1 # send mail only if warnings present if grep -q 'Warnings found' "$LOG" || grep -q 'Not found' "$LOG"; then /usr/bin/mailx -s "rkhunter alerts on $(hostname)" root@localhost < "$LOG" fi

    Make it executable:

    sudo chmod 755 /usr/local/sbin/rkhunter-daily

    Point the systemd service ExecStart= at /usr/local/sbin/rkhunter-daily.

11. Security best practices & operational guidance

    • Run --propupd only after you’ve audited changes (i.e., don’t baseline an already-compromised host).
    • Combine rkhunter with file integrity monitoring (AIDE/OSSEC) and centralized logging/alerting (ELK, Splunk, or a SIEM).
    • Keep the OS and rkhunter up to date via dnf upgrade.
    • Investigate any unusual warnings promptly — rkhunter is an indicator, not definitive proof.

12. Useful commands cheat-sheet

    # install (EPEL) sudo dnf install -y epel-release sudo dnf install -y rkhunter # update signatures sudo rkhunter --update # build baseline (when system is known-good) sudo rkhunter --propupd # manual scan sudo rkhunter --check --skip-keypresses --rwo # check logs sudo less /var/log/rkhunter.log # get version rkhunter --version

Conclusion

You now know how to install and run Rootkit Hunter on AlmaLinux VPS.