rkhunter (Rootkit Hunter) is an open-source security tool for Linux that scans your server for rootkits, backdoors, and signs of local compromise. This guide covers installing and running rkhunter on a Host Media VPS or dedicated server.
VPS and dedicated server customers only. rkhunter requires root SSH access and is not applicable to shared or reseller hosting accounts.
Installing rkhunter
Install rkhunter via your server's package manager — this is the simplest and most reliable approach, and keeps rkhunter updated automatically alongside your other system packages.
Ubuntu / Debian:
sudo apt update && sudo apt install rkhunter -yAlmaLinux / Rocky Linux / CentOS:
sudo dnf install epel-release -y
sudo dnf install rkhunter -yOnce installed, check the version to confirm it completed successfully:
rkhunter --versionRunning your first scan
Before running a scan for the first time, update rkhunter's database files and take a baseline snapshot of your system. This allows rkhunter to detect changes against a known-good state:
sudo rkhunter --updatesudo rkhunter --propupdImportant: Run
--propupdon a server you are confident is clean. This command records the current state of your system files as the baseline that future scans compare against. If you run it on a compromised server, the compromised files will be recorded as trusted.
Now run a full scan:
sudo rkhunter --checkrkhunter will scan your system and display results as it goes. At the end it produces a summary showing any warnings or failures found. Press Enter to step through each section of the scan.
Running a non-interactive scan
For automated or scheduled scans where you do not want rkhunter to pause for input, use the --skip-keypress flag:
sudo rkhunter --check --skip-keypressTo suppress all output and only log results (useful for cron jobs):
sudo rkhunter --check --skip-keypress --quietViewing the scan log
rkhunter logs all scan results to a file, including details that are not shown on screen during a scan. Review it after each run:
sudo cat /var/log/rkhunter.logTo filter for warnings only:
sudo grep -i warning /var/log/rkhunter.logScheduling automatic scans with cron
To run rkhunter automatically on a nightly schedule, add a cron job as root:
sudo crontab -eAdd the following line to run a scan at 3am every night and email you the results:
0 3 * * * /usr/bin/rkhunter --check --skip-keypress --quiet --report-warnings-only --append-log 2>&1 | mail -s "rkhunter scan: $(hostname)" [email protected]Replace [email protected] with your email address. You will only receive an email if rkhunter finds warnings, keeping noise to a minimum.
Understanding rkhunter warnings
Not all rkhunter warnings indicate a real problem. Some are common false positives, particularly on newly configured servers or after system updates.
| Warning type | Likely cause | Action |
|---|---|---|
| File properties have changed | A package update changed a system binary | Run rkhunter --propupd after confirming the update is legitimate |
| Suspicious string found in binary | Often a false positive on standard tools | Cross-reference the file with your package manager: rpm -Vf /path/to/file or dpkg --verify |
| Hidden directory found | Can be legitimate (e.g. .ssh, .gnupg) or suspicious | Investigate the directory contents manually |
| Network interface in promiscuous mode | Can indicate a packet sniffer, but also some VPN or monitoring tools | Check running processes: ip link show |
If you see warnings that you cannot explain or that persist after investigation, contact our support team with the output of your rkhunter log and we can help assess whether there is a genuine concern.
Keeping rkhunter up to date
Keep both rkhunter itself and its database files current. Run the following periodically, or after any system update:
sudo rkhunter --update
sudo rkhunter --propupdIf you installed via a package manager, rkhunter will be updated automatically when you run your regular system updates (apt upgrade or dnf upgrade).
