How To Install rkhunter On Ubuntu

Updated on November 21, 2023
How To Install rkhunter On Ubuntu header image

Rkhunter is software that finds rootkits on a Linux server. Rootkits are installed by hackers so that they can always access the server. In this doc, you'll be able to see how you can prevent rootkits using rkhunter on Ubuntu.

Step 1: Installing prerequisites

We need to install a number of prerequisites to properly use rkhunter:

apt-get install binutils libreadline5 libruby ruby ruby ssl-cert unhide.rb mailutils

Once the install finishes, you can proceed to the next step.

Step 2: Installing rkhunter

We'll download rkhunter by using wget. If wget hasn't been installed on your system yet, execute:

apt-get install wget

Now download rkhunter:

wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz

Untar the download:

tar xzvf rkhunter*

Navigate to the rkhunter directory:

cd rkhunter*

Install rkhunter:

./installer.sh --layout /usr --install

The installation output should be similar to this:

Checking system for:
 Rootkit Hunter installer files: found
 A web file download command: wget found
Starting installation:
 Checking installation directory "/usr": it exists and is writable.
 Checking installation directories:
  Directory /usr/share/doc/rkhunter-1.4.2: creating: OK
  Directory /usr/share/man/man8: exists and is writable.
  Directory /etc: exists and is writable.
  Directory /usr/bin: exists and is writable.
  Directory /usr/lib: exists and is writable.
  Directory /var/lib: exists and is writable.
  Directory /usr/lib/rkhunter/scripts: creating: OK
  Directory /var/lib/rkhunter/db: creating: OK
  Directory /var/lib/rkhunter/tmp: creating: OK
  Directory /var/lib/rkhunter/db/i18n: creating: OK
  Directory /var/lib/rkhunter/db/signatures: creating: OK
 Installing check_modules.pl: OK
 Installing filehashsha.pl: OK
 Installing stat.pl: OK
 Installing readlink.sh: OK
 Installing backdoorports.dat: OK
 Installing mirrors.dat: OK
 Installing programs_bad.dat: OK
 Installing suspscan.dat: OK
 Installing rkhunter.8: OK
 Installing ACKNOWLEDGMENTS: OK
 Installing CHANGELOG: OK
 Installing FAQ: OK
 Installing LICENSE: OK
 Installing README: OK
 Installing language support files: OK
 Installing ClamAV signatures: OK
 Installing rkhunter: OK
 Installing rkhunter.conf: OK
Installation complete

Step 3: Using rkhunter

Data files keep information about possible threats.

Regularly updating your data files is necessary for an up-to-date system. You can update them using the rkhunter command:

rkhunter --update

This will output a list with data files that were updated and those that weren't updated:

[ Rootkit Hunter version 1.4.2 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ Updated ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ No update ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/tr                                      [ No update ]
  Checking file i18n/tr.utf8                                 [ No update ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                 [ No update ]

We are now ready to perform our first test. The test will look for known rootkits and generic security issues (such as root access over SSH) and log its findings. You will manually need to press "Enter" to continue after checks.

After the test, we can see errors and warnings:

cat /var/log/rkhunter.log

Step 4: Enabling email notifications

Rkhunter can be configured to send an email when a threat is found. To configure this feature, start by opening the rkhunter.conf file:

vi /etc/rkhunter.conf

Search for MAIL-ON-WARNING, then add an email address.

You can optionally scroll through the configuration for more options, however, by default, it should work fine. You can check your configuration file:

rkhunter -C

If there's no output, your configuration file is valid.