Install

To install rkhunter run:

sudo apt-get install rkhunter

Choose no mail server when prompted.

Configure

  1. Check for database updates with:
sudo rkhunter --update
  1. Run a full scan with:
sudo rkhunter -c
  1. Add the following to the rkhunter.conf file to ignore known issues:
    1. ALLOWDEVFILE=“/dev/.udev/rules.d/root.rules”
    2. ALLOWHIDDENDIR=“/dev/.udev”
    3. ALLOWHIDDENFILE=“/dev/.blkid.tab”
    4. ALLOWHIDDENFILE=“/dev/.blkid.tab.old”
    5. ALLOWHIDDENFILE=“/dev/.initramfs”
    6. SCRIPTWHITELIST=“/usr/bin/unhide.rb”
  2. Check the RKHunter configuration updates just made with:
sudo rkhunter -C
  1. Remove ssh configuration issues by disabling root login and password login by editing /etc/ssh/sshd_config and updating the following:
    1. PermitRootLogin no
    2. PasswordAuthentication
  2. Run a full scan to ensure there are no other errors:
sudo rkhunter -c
  1. Once there are no errors, update the RKHunter data file:
sudo rkhunter --propupd

Maintain

If your system is infected with rootkits or if you install any new packages you could get RKHunter errors. You can fix them as follows:

  1. Rescan the system
sudo rkhunter -c
  1. Fix any errors
  2. Update the data file
sudo rkhunter --propupd

Other useful commands

  1. To check for a new version:
sudo rkhunter --versioncheck
  1. To run without manual intervention, remove colour codes and only output warnings:
sudo rkhunter --cronjob --rwo

Additional Dependencies

  1. Install Unhide to find hidden processes and ports:
sudo apt-get install unhide

  1. Install Skdet for additional Suckit Rookit checks.

  2. Tripwire - It is recommended that Tripwire be installed as a standalone package and not run through RKHUnter.

  1. RKHunter Wiki
  2. How to use RKHunter to Guard Against Rootkits on an Ubuntu Vps
  3. Ubuntu RKHunter
  4. Reconfigure RKHunter to Avoid False Positive Warninngs on Debian 5.0