Rkhunter is a tool that scans for rootkits, backdoors, and other security issues on Linux systems. It does this by examining your files and comparing the hashes against known values of trusted software and malware. In this tutorial, we will install and set up rkhunter on a Debian 10 Vultr instance.
Install rkhunter with apt.
$ sudo apt install rkhunter -y
Rkhunter uses data files to store information on possible threats. Unfortunately, the default configuration of Debian does not allow us to update these files. We will adjust the settings to correct this issue.
Edit the /etc/rkhunter.conf file with nano.
$ sudo nano /etc/rkhunter.conf
Type CTRL+W to search for WEB_CMD="/bin/false".
# comment at the beginning of the line to disable the statement.
Type CTRL+W to search for UPDATE_MIRRORS.
Set UPDATE_MIRRORS value to 1.
Type CTRL+W to search for MIRRORS_MODE.
Set MIRRORS_MODE value to 0.
(Optional) Enable email notifications.
Type CTRL+W to search for MAIL-ON-WARNING.
# comment at the beginning of the line and assign an email address.
Save and exit the file.
Make sure your configuration file is valid with the following command:
$ sudo rkhunter -C
If there is no output, your configuration file is valid.
Update the rkhunter data files.
$ sudo rkhunter --update
To check the local system, use the check parameter.
$ sudo rkhunter --check
When finished, inspect /var/log/rkhunter.log for warnings and alerts.