
This article provides a guide for how to install and run Rootkit Hunter on AlmaLinux VPS.
What is Rootkit Hunter?
Rootkit Hunter (often abbreviated rkhunter) is a free, open-source security tool for Unix/Linux systems. It’s designed to detect rootkits, backdoors, and local exploits by scanning the system for known signatures, suspicious file changes, and abnormal behaviors.
Here’s a breakdown:
🔍 What It Does
- Rootkit detection: Looks for signatures of known rootkits (collections of malicious tools that let attackers maintain privileged access while hiding their presence).
- File integrity checks: Compares system binaries against a baseline (hashes, permissions, timestamps) to detect tampering.
- Suspicious file/directory detection: Flags hidden files, unusual directories, or unexpected entries in
/dev,/tmp, etc. - Kernel module checks: Scans for suspicious or unexpected loaded kernel modules.
- Configuration checks: Warns if file permissions or system settings deviate from security best practices.
🛠️ How It Works
- Maintains a database of known good properties (using
--propupd) and compares against it on subsequent scans. - Uses pattern matching and heuristics to flag items commonly associated with rootkits.
- Runs manually (
rkhunter --check) or automatically (via cron or systemd timers). - Generates logs and can send email alerts if warnings are found.
⚠️ Important Notes
- It’s not an antivirus — it doesn’t remove threats automatically.
- Some alerts may be false positives (e.g., custom binaries, kernel modules), so results need to be reviewed by an administrator.
- Best used as part of a layered defense strategy alongside intrusion detection systems (IDS), log monitoring, patch management, and firewalling.
👉 In short: Rootkit Hunter is a host-based intrusion detection scanner that helps sysadmins spot early signs of compromise by monitoring for rootkits and related security anomalies.

How to Install and Run Rootkit Hunter on AlmaLinux VPS
Tested approach: AlmaLinux 8/AlmaLinux 9 (RHEL-compatible). Commands assume you have a root shell (or
sudowhere shown). If you’re on a minimal system, ensurednfand networking are available.
-
Quick summary / what this does
rkhunter(Rootkit Hunter) scans for rootkits, backdoors, local exploits and suspicious file/permission changes by checking file hashes, known signatures and common indicators. It’s a host-based scanner and complements other security controls.
-
Install via EPEL (recommended, easiest)
- Enable EPEL and update package metadata:
sudo dnf install -y epel-release sudo dnf makecache
- Install rkhunter:
sudo dnf install -y rkhunter
- Verify installation:
rkhunter --version
Notes:
- On RHEL-derivatives (AlmaLinux/Rocky)
rkhunteris commonly provided via EPEL—this is the simplest and recommended route.
- On RHEL-derivatives (AlmaLinux/Rocky)
- Enable EPEL and update package metadata:
-
Alternate: install from source (if you need latest upstream)
If your distro package is old or not available:
cd /usr/local/src sudo wget https://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz sudo tar xzf rkhunter-1.4.6.tar.gz cd rkhunter-1.4.6 sudo ./installer.sh --layout default --install
Then confirm with:
/usr/local/bin/rkhunter --version
(Replace version numbers with the current upstream release found on the project site.)
-
Initial configuration and database update
- Update the rkhunter data files (signatures & props database):
sudo rkhunter --update
- Create the properties database (baseline) — do this when the system is known-good:
sudo rkhunter --propupd
--propupdrecords current file properties (hashes/permissions) so future scans can detect changes.
- Examine main config file:
sudo cp /etc/rkhunter.conf /etc/rkhunter.conf.orig sudo vi /etc/rkhunter.conf
Common options to check/edit:
MAIL-ON-WARNING(address to receive alerts)LOGFILE=/var/log/rkhunter.log(default)ALLOWHIDDendir/ALLOWHIDDENFILEto whitelist known itemsSCRIPTWHITELIST/PKGMGRetc. — comments in file explain each option.
On some packages you may also use
/etc/sysconfig/rkhunter(or/etc/default/rkhunter) to setMAILTOfor cron/packaged scripts.
- Update the rkhunter data files (signatures & props database):
-
Run a manual scan (first check)
Run an interactive scan (output on console and to log):
sudo rkhunter --check --sk --rwo
Flags:
--check: run checks--sk: skip keypress prompts (useful for automation)--rwo: show warnings only (reduces noise)
After the run, inspect
/var/log/rkhunter.logfor details:sudo less /var/log/rkhunter.log
-
Scheduling automatic daily scans
Two common approaches: the distro package often supplies cron scripts; you can also create a systemd timer for more control.
-
Use the packaged cron scripts (easy)
If installed from EPEL,
rkhunteroften installs/etc/cron.daily/rkhunterand/etc/cron.weekly/rkhunterfor updates and checks. Configure mail settings in/etc/sysconfig/rkhunter:sudo grep -E 'MAIL|EMAIL' -n /etc/sysconfig/rkhunter || sudo vi /etc/sysconfig/rkhunter # e.g. MAILTO="root@example.com"
Cron scripts will run under standard daily cron and send output to the configured MAILTO. (This is the common default on RHEL-style systems.)
-
Create a systemd service + timer (recommended for modern systems)
Create a service unit
/etc/systemd/system/rkhunter-check.service:[Unit] Description=Run rkhunter scan [Service] Type=oneshot ExecStart=/usr/bin/rkhunter --check --skip-keypresses --rwo Nice=10
Create a timer
/etc/systemd/system/rkhunter-check.timerto run daily at 03:30:[Unit] Description=Daily rkhunter scan [Timer] OnCalendar=*-*-* 03:30:00 Persistent=true [Install] WantedBy=timers.target
Enable and start:
sudo systemctl daemon-reload sudo systemctl enable --now rkhunter-check.timer sudo systemctl status rkhunter-check.timer
If you want updates to be pulled before each scan, add a small script wrapper (e.g.,
/usr/local/sbin/rkhunter-daily) that runsrkhunter --updatethenrkhunter --checkand point the serviceExecStartat that script. Systemd timers have advantages over cron (better logging viajournalctl, easier enable/disable).
-
-
Handling notifications (email)
- If using cron scripts, set
MAILTOin/etc/sysconfig/rkhunteror/etc/default/rkhunter. - If running systemd wrapper script, pipe output to
mailxorssmtp:/usr/bin/rkhunter --check --skip-keypresses --rwo | /usr/bin/mailx -s "rkhunter report on $(hostname)" security@example.com
Make sure an MTA or
ssmtp/msmtpis configured to deliver mail.
- If using cron scripts, set
-
Dealing with false positives (whitelisting)
Rkhunter will sometimes flag legitimate items (e.g., custom kernel modules, locally compiled binaries, unusual permission but expected files). Best practice:
- Inspect
/var/log/rkhunter.logto confirm details. - If safe, add entries to
/etc/rkhunter.confor the whitelist files:
ALLOWHIDDENFILE=/path/to/fileALLOWHIDDENDIR=/path/to/dirSCRIPTWHITELIST=/path/to/script
- If a file’s permission change is expected, update the baseline:
sudo rkhunter --propupd
Document all whitelist entries (why they were whitelisted and who approved) — don’t just accept them silently.
- Inspect
-
Common troubleshooting & tips
- Run as root — rkhunter needs root privileges to check system binaries and kernel modules.
- SELinux — AlmaLinux defaults to SELinux enforcing. rkhunter may show SELinux-related warnings. These are usually informational; inspect the log. If SELinux blocks execution, view
audit.log(/var/log/audit/audit.log) and useaudit2why/ausearchto investigate. - Outdated data files — run
rkhunter --updateregularly; keep the package updated viadnf update rkhunter. - Network access for updates — ensure your VPS can reach rkhunter mirrors (no restrictive egress firewall blocking HTTP/HTTPS to SourceForge/mirrors).
- Log rotation — ensure
/var/log/rkhunter.logis rotated bylogrotate; check/etc/logrotate.d/for existing config. - Version check — upstream project site lists latest recommended version; consider source install if distro package is old.
-
Example: small wrapper script (update → run → email)
Create
/usr/local/sbin/rkhunter-daily:#!/bin/bash set -euo pipefail LOG=/var/log/rkhunter-daily-$(date +%F).log /usr/bin/rkhunter --update >> "$LOG" 2>&1 /usr/bin/rkhunter --check --skip-keypresses --rwo >> "$LOG" 2>&1 # send mail only if warnings present if grep -q 'Warnings found' "$LOG" || grep -q 'Not found' "$LOG"; then /usr/bin/mailx -s "rkhunter alerts on $(hostname)" root@localhost < "$LOG" fi
Make it executable:
sudo chmod 755 /usr/local/sbin/rkhunter-daily
Point the systemd service
ExecStart=at/usr/local/sbin/rkhunter-daily. -
Security best practices & operational guidance
- Run
--propupdonly after you’ve audited changes (i.e., don’t baseline an already-compromised host). - Combine rkhunter with file integrity monitoring (AIDE/OSSEC) and centralized logging/alerting (ELK, Splunk, or a SIEM).
- Keep the OS and rkhunter up to date via
dnf upgrade. - Investigate any unusual warnings promptly — rkhunter is an indicator, not definitive proof.
- Run
-
Useful commands cheat-sheet
# install (EPEL) sudo dnf install -y epel-release sudo dnf install -y rkhunter # update signatures sudo rkhunter --update # build baseline (when system is known-good) sudo rkhunter --propupd # manual scan sudo rkhunter --check --skip-keypresses --rwo # check logs sudo less /var/log/rkhunter.log # get version rkhunter --version
Conclusion
You now know how to install and run Rootkit Hunter on AlmaLinux VPS.








