
This article provides a guide for how to install and run Rootkit Hunter on AlmaLinux VPS.
What is Rootkit Hunter?
Rootkit Hunter (often abbreviated rkhunter) is a free, open-source security tool for Unix/Linux systems. It’s designed to detect rootkits, backdoors, and local exploits by scanning the system for known signatures, suspicious file changes, and abnormal behaviors.
Here’s a breakdown:
🔍 What It Does
- Rootkit detection: Looks for signatures of known rootkits (collections of malicious tools that let attackers maintain privileged access while hiding their presence).
- File integrity checks: Compares system binaries against a baseline (hashes, permissions, timestamps) to detect tampering.
- Suspicious file/directory detection: Flags hidden files, unusual directories, or unexpected entries in
/dev
,/tmp
, etc. - Kernel module checks: Scans for suspicious or unexpected loaded kernel modules.
- Configuration checks: Warns if file permissions or system settings deviate from security best practices.
🛠️ How It Works
- Maintains a database of known good properties (using
--propupd
) and compares against it on subsequent scans. - Uses pattern matching and heuristics to flag items commonly associated with rootkits.
- Runs manually (
rkhunter --check
) or automatically (via cron or systemd timers). - Generates logs and can send email alerts if warnings are found.
⚠️ Important Notes
- It’s not an antivirus — it doesn’t remove threats automatically.
- Some alerts may be false positives (e.g., custom binaries, kernel modules), so results need to be reviewed by an administrator.
- Best used as part of a layered defense strategy alongside intrusion detection systems (IDS), log monitoring, patch management, and firewalling.
👉 In short: Rootkit Hunter is a host-based intrusion detection scanner that helps sysadmins spot early signs of compromise by monitoring for rootkits and related security anomalies.
How to Install and Run Rootkit Hunter on AlmaLinux VPS
Tested approach: AlmaLinux 8/AlmaLinux 9 (RHEL-compatible). Commands assume you have a root shell (or
sudo
where shown). If you’re on a minimal system, ensurednf
and networking are available.
-
Quick summary / what this does
rkhunter
(Rootkit Hunter) scans for rootkits, backdoors, local exploits and suspicious file/permission changes by checking file hashes, known signatures and common indicators. It’s a host-based scanner and complements other security controls.
-
Install via EPEL (recommended, easiest)
- Enable EPEL and update package metadata:
sudo dnf install -y epel-release sudo dnf makecache
- Install rkhunter:
sudo dnf install -y rkhunter
- Verify installation:
rkhunter --version
Notes:
- On RHEL-derivatives (AlmaLinux/Rocky)
rkhunter
is commonly provided via EPEL—this is the simplest and recommended route.
- On RHEL-derivatives (AlmaLinux/Rocky)
- Enable EPEL and update package metadata:
-
Alternate: install from source (if you need latest upstream)
If your distro package is old or not available:
cd /usr/local/src sudo wget https://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz sudo tar xzf rkhunter-1.4.6.tar.gz cd rkhunter-1.4.6 sudo ./installer.sh --layout default --install
Then confirm with:
/usr/local/bin/rkhunter --version
(Replace version numbers with the current upstream release found on the project site.)
-
Initial configuration and database update
- Update the rkhunter data files (signatures & props database):
sudo rkhunter --update
- Create the properties database (baseline) — do this when the system is known-good:
sudo rkhunter --propupd
--propupd
records current file properties (hashes/permissions) so future scans can detect changes.
- Examine main config file:
sudo cp /etc/rkhunter.conf /etc/rkhunter.conf.orig sudo vi /etc/rkhunter.conf
Common options to check/edit:
MAIL-ON-WARNING
(address to receive alerts)LOGFILE=/var/log/rkhunter.log
(default)ALLOWHIDDendir
/ALLOWHIDDENFILE
to whitelist known itemsSCRIPTWHITELIST
/PKGMGR
etc. — comments in file explain each option.
On some packages you may also use
/etc/sysconfig/rkhunter
(or/etc/default/rkhunter
) to setMAILTO
for cron/packaged scripts.
- Update the rkhunter data files (signatures & props database):
-
Run a manual scan (first check)
Run an interactive scan (output on console and to log):
sudo rkhunter --check --sk --rwo
Flags:
--check
: run checks--sk
: skip keypress prompts (useful for automation)--rwo
: show warnings only (reduces noise)
After the run, inspect
/var/log/rkhunter.log
for details:sudo less /var/log/rkhunter.log
-
Scheduling automatic daily scans
Two common approaches: the distro package often supplies cron scripts; you can also create a systemd timer for more control.
-
Use the packaged cron scripts (easy)
If installed from EPEL,
rkhunter
often installs/etc/cron.daily/rkhunter
and/etc/cron.weekly/rkhunter
for updates and checks. Configure mail settings in/etc/sysconfig/rkhunter
:sudo grep -E 'MAIL|EMAIL' -n /etc/sysconfig/rkhunter || sudo vi /etc/sysconfig/rkhunter # e.g. MAILTO="root@example.com"
Cron scripts will run under standard daily cron and send output to the configured MAILTO. (This is the common default on RHEL-style systems.)
-
Create a systemd service + timer (recommended for modern systems)
Create a service unit
/etc/systemd/system/rkhunter-check.service
:[Unit] Description=Run rkhunter scan [Service] Type=oneshot ExecStart=/usr/bin/rkhunter --check --skip-keypresses --rwo Nice=10
Create a timer
/etc/systemd/system/rkhunter-check.timer
to run daily at 03:30:[Unit] Description=Daily rkhunter scan [Timer] OnCalendar=*-*-* 03:30:00 Persistent=true [Install] WantedBy=timers.target
Enable and start:
sudo systemctl daemon-reload sudo systemctl enable --now rkhunter-check.timer sudo systemctl status rkhunter-check.timer
If you want updates to be pulled before each scan, add a small script wrapper (e.g.,
/usr/local/sbin/rkhunter-daily
) that runsrkhunter --update
thenrkhunter --check
and point the serviceExecStart
at that script. Systemd timers have advantages over cron (better logging viajournalctl
, easier enable/disable).
-
-
Handling notifications (email)
- If using cron scripts, set
MAILTO
in/etc/sysconfig/rkhunter
or/etc/default/rkhunter
. - If running systemd wrapper script, pipe output to
mailx
orssmtp
:/usr/bin/rkhunter --check --skip-keypresses --rwo | /usr/bin/mailx -s "rkhunter report on $(hostname)" security@example.com
Make sure an MTA or
ssmtp
/msmtp
is configured to deliver mail.
- If using cron scripts, set
-
Dealing with false positives (whitelisting)
Rkhunter will sometimes flag legitimate items (e.g., custom kernel modules, locally compiled binaries, unusual permission but expected files). Best practice:
- Inspect
/var/log/rkhunter.log
to confirm details. - If safe, add entries to
/etc/rkhunter.conf
or the whitelist files:
ALLOWHIDDENFILE=/path/to/file
ALLOWHIDDENDIR=/path/to/dir
SCRIPTWHITELIST=/path/to/script
- If a file’s permission change is expected, update the baseline:
sudo rkhunter --propupd
Document all whitelist entries (why they were whitelisted and who approved) — don’t just accept them silently.
- Inspect
-
Common troubleshooting & tips
- Run as root — rkhunter needs root privileges to check system binaries and kernel modules.
- SELinux — AlmaLinux defaults to SELinux enforcing. rkhunter may show SELinux-related warnings. These are usually informational; inspect the log. If SELinux blocks execution, view
audit.log
(/var/log/audit/audit.log
) and useaudit2why
/ausearch
to investigate. - Outdated data files — run
rkhunter --update
regularly; keep the package updated viadnf update rkhunter
. - Network access for updates — ensure your VPS can reach rkhunter mirrors (no restrictive egress firewall blocking HTTP/HTTPS to SourceForge/mirrors).
- Log rotation — ensure
/var/log/rkhunter.log
is rotated bylogrotate
; check/etc/logrotate.d/
for existing config. - Version check — upstream project site lists latest recommended version; consider source install if distro package is old.
-
Example: small wrapper script (update → run → email)
Create
/usr/local/sbin/rkhunter-daily
:#!/bin/bash set -euo pipefail LOG=/var/log/rkhunter-daily-$(date +%F).log /usr/bin/rkhunter --update >> "$LOG" 2>&1 /usr/bin/rkhunter --check --skip-keypresses --rwo >> "$LOG" 2>&1 # send mail only if warnings present if grep -q 'Warnings found' "$LOG" || grep -q 'Not found' "$LOG"; then /usr/bin/mailx -s "rkhunter alerts on $(hostname)" root@localhost < "$LOG" fi
Make it executable:
sudo chmod 755 /usr/local/sbin/rkhunter-daily
Point the systemd service
ExecStart=
at/usr/local/sbin/rkhunter-daily
. -
Security best practices & operational guidance
- Run
--propupd
only after you’ve audited changes (i.e., don’t baseline an already-compromised host). - Combine rkhunter with file integrity monitoring (AIDE/OSSEC) and centralized logging/alerting (ELK, Splunk, or a SIEM).
- Keep the OS and rkhunter up to date via
dnf upgrade
. - Investigate any unusual warnings promptly — rkhunter is an indicator, not definitive proof.
- Run
-
Useful commands cheat-sheet
# install (EPEL) sudo dnf install -y epel-release sudo dnf install -y rkhunter # update signatures sudo rkhunter --update # build baseline (when system is known-good) sudo rkhunter --propupd # manual scan sudo rkhunter --check --skip-keypresses --rwo # check logs sudo less /var/log/rkhunter.log # get version rkhunter --version
Conclusion
You now know how to install and run Rootkit Hunter on AlmaLinux VPS.