Skip to content

How to detect rootkits with rkhunter in Ubuntu/CentOS

Installing rkhunter on Ubuntu

We now turn our attention to specific rootkit detection tools and rkhunter. This package is part of our standard Ubuntu repositories and is easy to install:

$ sudo apt install -y rkhunter

With the installation complete we need to focus on the configuration. This can be found in  the file /etc/rkhunter.conf. Ubuntu have changed some settings from the defaults that cause some issues. There are 3 changes that we should make to ensure scans can complete.

Ensure the following settings are in place


We will also enable the scan and updates with cron by editing the file /etc/default/rkhunter:


The last setting allows the update on an apt update. Execution of rkhunter tool needs to be as the root user, so we use sudo. First we can check that we have the latest rootkit definitions or signatures:

$ sudo rkhunter --update

Next we update the file properties. This is for the checks against sensitive binaries or programs. The file poperties are retrieved from the repositories and not local data. Minimizing the risk of a comprimizing the reference check.

$ sudo rkhunter --propupd

We can also chek the version we are using is up to date:

$ sudo rkhunter --versioncheck

We are now ready to run the check against our system:

$ sudo rkhunter --check

After each check we are displayed the summary for the check. To proceed without these breaks use the –sk option as well.

We can see the output on the screen but it is also written to the log /var/log/rkhunter.log.

The system warns the root access byt SSH is possible. We can and should disallow this in the the file /etc/ssh/sshd_config.


With the setting made we can restart the sshd.

$ sudo systemctl restart sshd

Re-running the rkhunter check should now reveal that SSH is secured. Securing the SSHD is important no matter your concern with rootkits. The root user should not be able to login via SSH. A non-privileged account should be used to login. Then making use of sudo once access has been gained.


Installing rkhunter on CentOS 7

We will now look at it and a little more detail using rkhunter on CentOS 7.

In CentOS 7 rkhunter is found in the EPEL repository, we must make sure that this is available to use first:

$ sudo yum install -y epel-release

The install then is straight forward using yum and we update in the same way as in Ubuntu

$ sudo yum install rkhunter
$ sudo rkhunter --update
$ sudo rkhunter --propupd

We may also want to manually copy the /etc/passwd and /etc/group file to /var/lib/rkhunter. I gerenerally do not as they are copied in the first scan. The ubuntu install makes copies of these files for you.

If we don’t the first scan will warn that the group file and passwd file could have changed.

$ sudo rkhunter --check --sk
Performing group and account checks
    Checking for passwd file                          [ Found ]
    Checking for root equivalent (UID 0) accounts     [ None found ]
    Checking for passwordless accounts                [ None found ]
    Checking for passwd file changes                  [ Warning ]
    Checking for group file changes                   [ Warning ]
    Checking root account shell history files         [ OK ]

Further details can be found in the log file /var/log/rkhunter/rkhunter.log. Note that with rkhunter on CentOS 7 we have the extra rkhunter log directory.  As this is the first scan though, we know that the reference files did not exist. They will exist now and on a second running the warning will not show. Of course, adding a new user will trigger the warning again but will also update the reference files, /var/lib/rkhunter/passwd and /var/lib/rkhunter/group. Each check will update the references.

By default the CentOS install does not check root access in SSH. We should enable this by editong /etc/rkhunter.conf. Look for the line:


Change the line to read:


The file /etc/ssh/sshd_config can be configured with:


Once set, restart the sshd service with:

$ sudo systemctl restart sshd

Running the rkhunter check now will report SSH root login as secured. The execution of rkhunter is enabled with cron by default.

Published inLinuxSecurity