rkhunter (Rootkit Hunter) scans Linux servers for rootkits, backdoors, and local exploits by checking for known malicious files, wrong file permissions, and hidden processes. This guide installs and configures rkhunter on Ubuntu 24.04 LTS.
Tested and valid on:
- Ubuntu 24.04 LTS
Prerequisites
- Ubuntu 24.04 LTS server
- A user with sudo privileges
Step 1 – Install rkhunter
Install from Ubuntu repositories:
sudo apt update
sudo apt install rkhunter -yStep 2 – Update the Database
Update the rkhunter data files and download the latest checks:
sudo rkhunter --updateStep 3 – Initialise File Properties
Build the baseline hash database for system files:
sudo rkhunter --propupdStep 4 – Run a Rootkit Scan
Perform a full scan:
sudo rkhunter --checkOr skip interactive prompts:
sudo rkhunter --check --skStep 5 – View the Scan Log
Review the detailed log:
sudo cat /var/log/rkhunter.log | grep -E 'Warning|Found'Step 6 – Configure rkhunter
Edit the config to whitelist known false positives:
sudo nano /etc/rkhunter.confAdd whitelisted files:
SCRIPTWHITELIST=/usr/sbin/adduser
SCRIPTWHITELIST=/usr/bin/lddStep 7 – Schedule Daily Scans
Enable the rkhunter daily cron job:
sudo nano /etc/default/rkhunterSet:
CRON_DAILY_RUN=yes
CRON_DB_UPDATE=yes
APT_AUTOGEN=yesConclusion
rkhunter is now configured to scan your Ubuntu 24.04 LTS server for rootkits and backdoors. Run it after any system compromise or privilege escalation event. Combine with chkrootkit for additional coverage.
