Support
Rkhunter

Rkhunter

Rkhunter — Old but Handy Rootkit Scanner Why It Matters Rootkits dig deep into Linux, hiding files, tweaking binaries, and loading shady kernel modules. Standard monitoring often misses them. Rkhunter has been around for years as a simple check-up tool. It doesn’t pretend to be a full-blown EDR — just a script that goes through the system looking for common traces of tampering. Admins still keep it in their bag of tricks for audits, quick sanity checks, or incident response when something feels

Share buttons
Facebook
Twitter
LinkedIn
Reddit
Telegram
WhatsApp
  • OS: Windows / Linux / macOS
  • Size: 91 MB
  • Version: 3.0.2
  • Download: 143 stars
download
Request Setup

Rkhunter — Old but Handy Rootkit Scanner

Why It Matters

Rootkits dig deep into Linux, hiding files, tweaking binaries, and loading shady kernel modules. Standard monitoring often misses them. Rkhunter has been around for years as a simple check-up tool. It doesn’t pretend to be a full-blown EDR — just a script that goes through the system looking for common traces of tampering. Admins still keep it in their bag of tricks for audits, quick sanity checks, or incident response when something feels off.

How It Works

Rkhunter is essentially a bash script with a collection of tests. Run it, and it compares system binaries with known hashes, looks for files that shouldn’t be there, scans modules loaded into the kernel, and flags oddities in startup scripts. Before scanning, updating signatures with `rkhunter –update` is a must, otherwise results can be stale. The tool spits out logs and console warnings. It won’t tell you “infected” or “clean” with certainty — it points at suspicious bits, and the admin has to decide what’s noise and what’s real.

Technical Notes

Area Notes
OS support Linux and other Unix-like platforms
What it does Rootkit detection, integrity checks on binaries
Looks at File hashes, hidden files, kernel modules, init/startup scripts
Output Console messages + /var/log/rkhunter.log
Updates Uses online database (`rkhunter –update`)
License GPL, open source

Deployment Notes

– Install from your distro repo or compile from source.
– Run `rkhunter –update` first to grab latest data.
– Then `rkhunter –check` for the actual scan.
– Review /var/log/rkhunter.log carefully — most results need context.
– Often tied into cron so it runs daily or weekly in the background.

Where It Fits

– Audits: quick host integrity check before compliance reviews.
– Incident response: first-pass tool when a box looks suspicious.
– Daily hygiene: routine scans on Linux servers, even if noisy.

Caveats

– Signature-driven, so stealthy or custom rootkits may slip through.
– High rate of false positives — human review is unavoidable.
– Only detects, never cleans.
– Can be slow on big filesystems with lots of binaries.

Rkhunter audit logs and retention overview | Armosecure

What is Rkhunter?

Rkhunter is a Linux-based security tool designed to detect and prevent rootkits, as well as other malicious software, from compromising system security. It is a command-line based program that scans the system for any signs of unauthorized access or malicious activity. Rkhunter is widely used in the Linux community due to its effectiveness and ease of use.

Main Features of Rkhunter

Rkhunter has several key features that make it an essential tool for system administrators and security professionals. Some of its main features include:

  • Rootkit detection: Rkhunter can detect and identify various types of rootkits, including kernel-mode and user-mode rootkits.
  • File integrity checking: Rkhunter can check the integrity of system files and detect any unauthorized modifications.
  • System configuration analysis: Rkhunter can analyze system configuration files and detect any suspicious or malicious settings.

Installation Guide

Step 1: Download Rkhunter

To install Rkhunter, you can download it from the official website or from a Linux repository. The installation process is relatively straightforward and can be completed using the following commands:

wget http://www.rootkit.nl/download/rkhunter-.tar.gz
tar -xvf rkhunter-.tar.gz
cd rkhunter-
./installer.sh

Step 2: Configure Rkhunter

After installation, you need to configure Rkhunter to suit your system’s needs. This can be done by editing the configuration file, which is usually located at /etc/rkhunter.conf.

In this file, you can specify the scan options, such as the directories to scan, the files to exclude, and the alert settings.

Technical Specifications

System Requirements

Rkhunter can run on most Linux distributions, including Debian, Ubuntu, and CentOS. The system requirements are relatively minimal, and Rkhunter can run on systems with limited resources.

System Requirement Minimum Requirement
CPU Intel Pentium 4 or equivalent
RAM 512 MB
Disk Space 100 MB

Pros and Cons

Pros

Rkhunter has several advantages that make it a popular choice among system administrators and security professionals. Some of the pros include:

  • Effective rootkit detection: Rkhunter is highly effective in detecting and identifying rootkits.
  • Easy to use: Rkhunter has a simple and intuitive command-line interface that makes it easy to use.
  • Customizable: Rkhunter can be customized to suit specific system needs.

Cons

While Rkhunter is a powerful tool, it also has some limitations. Some of the cons include:

  • False positives: Rkhunter can generate false positives, which can be time-consuming to investigate.
  • Resource-intensive: Rkhunter can be resource-intensive, especially when scanning large systems.
  • Not suitable for all systems: Rkhunter is not suitable for all systems, especially those with limited resources.

FAQ

How to Reduce Alerts in Rkhunter?

To reduce alerts in Rkhunter, you can customize the configuration file to exclude certain files or directories. You can also adjust the scan options to reduce the number of false positives.

What is SIEM-friendly Logging with Retention Policies and Repositories?

SIEM-friendly logging with retention policies and repositories refers to the ability of Rkhunter to generate logs that are compatible with Security Information and Event Management (SIEM) systems. This allows for easy integration with SIEM systems and enables the retention of logs for a specified period.

How to Download Rkhunter for Free?

Rkhunter can be downloaded for free from the official website or from a Linux repository.

What is the Best Alternative to Rkhunter?

Some popular alternatives to Rkhunter include Rootkit Hunter, Chkrootkit, and OSSEC. The best alternative depends on specific system needs and requirements.

Related articles

Rkhunter encryption and repository planning | Armosecure

What is Rkhunter?

Rkhunter is a free and open-source tool designed to scan systems for rootkits, backdoors, and other malicious software. It is widely used in the Linux community to ensure the integrity of systems and networks. Rkhunter works by checking for known rootkits and other malicious software, as well as monitoring system logs and configuration files for suspicious activity.

Main Features of Rkhunter

Rkhunter has several key features that make it an effective tool for securing systems. These include:

  • Rootkit detection: Rkhunter can detect a wide range of rootkits, including those that hide files, processes, and network connections.
  • Backdoor detection: Rkhunter can detect backdoors, which are malicious programs that allow unauthorized access to a system.
  • System log monitoring: Rkhunter can monitor system logs for suspicious activity, such as login attempts from unknown IP addresses.
  • Configuration file monitoring: Rkhunter can monitor configuration files for changes that may indicate malicious activity.

Installation Guide

Step 1: Download Rkhunter

To install Rkhunter, you will need to download it from the official website. You can do this by running the following command in your terminal:

wget http://rkhunter.sourceforge.net/current/rkhunter-1.4.6.tar.gz

Step 2: Extract the Archive

Once you have downloaded the archive, you will need to extract it. You can do this by running the following command:

tar xvfz rkhunter-1.4.6.tar.gz

Step 3: Install Rkhunter

After extracting the archive, you can install Rkhunter by running the following command:

./install.sh

Secure Deployment with Immutable Storage and Key Rotation

Immutable Storage

Immutable storage is a type of storage that cannot be modified once it has been written. This makes it an ideal choice for storing sensitive data, such as encryption keys. Rkhunter can be deployed with immutable storage to ensure that its configuration files and system logs are protected from tampering.

Key Rotation

Key rotation is the process of regularly changing encryption keys to prevent them from being compromised. Rkhunter can be configured to rotate its encryption keys on a regular basis, ensuring that even if an attacker gains access to the system, they will not be able to access sensitive data.

How to Monitor Rkhunter

System Log Monitoring

Rkhunter can be configured to monitor system logs for suspicious activity. This can be done by running the following command:

rkhunter –check –logfile /var/log/rkhunter.log

Configuration File Monitoring

Rkhunter can also be configured to monitor its configuration files for changes. This can be done by running the following command:

rkhunter –check –config /etc/rkhunter.conf

Rkhunter vs Alternatives

Other Rootkit Detection Tools

There are several other rootkit detection tools available, including:

  • Chkrootkit: A popular rootkit detection tool that scans for known rootkits and other malicious software.
  • Rootkit Hunter: A tool that scans for rootkits and other malicious software, and also provides a web-based interface for monitoring system logs.

Comparison of Features

Rkhunter has several features that set it apart from other rootkit detection tools. These include:

Feature Rkhunter Chkrootkit Rootkit Hunter
Rootkit detection Yes Yes Yes
Backdoor detection Yes No No
System log monitoring Yes No Yes
Configuration file monitoring Yes No No

FAQ

How do I download Rkhunter for free?

Rkhunter can be downloaded for free from the official website. Simply run the following command in your terminal:

wget http://rkhunter.sourceforge.net/current/rkhunter-1.4.6.tar.gz

How do I install Rkhunter?

After downloading Rkhunter, you can install it by running the following command:

./install.sh

How do I configure Rkhunter to monitor system logs?

Rkhunter can be configured to monitor system logs by running the following command:

rkhunter –check –logfile /var/log/rkhunter.log

Related articles

Rkhunter security setup and hardening guide | Armosecure

What is Rkhunter?

Rkhunter is a free and open-source Linux security tool designed to detect and prevent rootkits, backdoors, and other malicious software from compromising a system. It is a command-line based utility that scans the system for any signs of unauthorized access or malicious activity, providing system administrators with a powerful tool for endpoint hardening and security auditing.

Main Features of Rkhunter

Rkhunter offers several key features that make it an essential tool for Linux security, including:

  • Rootkit detection: Rkhunter scans the system for any signs of rootkits, including hidden files, directories, and processes.
  • Backdoor detection: Rkhunter checks for any backdoors that may have been installed on the system, allowing unauthorized access.
  • System file integrity checking: Rkhunter verifies the integrity of system files, ensuring that they have not been modified or tampered with.
  • Configuration file checking: Rkhunter checks configuration files for any signs of tampering or unauthorized changes.

Installation Guide

Downloading Rkhunter

Rkhunter can be downloaded from the official website, and it is also available in most Linux distributions’ package repositories. To download Rkhunter, follow these steps:

  1. Open a terminal window and navigate to the directory where you want to download Rkhunter.
  2. Use the wget command to download the latest version of Rkhunter: wget http://www.rkhunter.sourceforge.net/files/rkhunter-.tar.gz
  3. Extract the contents of the tarball using the tar command: tar -xvf rkhunter-.tar.gz

Installing Rkhunter

Once you have downloaded and extracted Rkhunter, you can install it using the following steps:

  1. Navigate to the directory where you extracted Rkhunter.
  2. Run the installation script using the following command: ./install.sh
  3. Follow the prompts to complete the installation process.

Technical Specifications

System Requirements

Rkhunter is designed to run on Linux systems, and it requires the following system specifications:

  • Operating System: Linux (any distribution)
  • Processor: Intel or AMD processor
  • Memory: 512 MB RAM (1 GB recommended)
  • Storage: 100 MB free disk space

Supported File Systems

Rkhunter supports the following file systems:

  • ext2
  • ext3
  • ext4
  • XFS
  • JFS

Pros and Cons

Pros of Rkhunter

Rkhunter offers several advantages, including:

  • Free and open-source: Rkhunter is completely free to download and use.
  • Highly customizable: Rkhunter can be customized to meet the specific needs of your system.
  • Regular updates: Rkhunter is regularly updated to ensure that it can detect the latest rootkits and backdoors.

Cons of Rkhunter

Rkhunter also has some disadvantages, including:

  • Steep learning curve: Rkhunter can be difficult to use for beginners.
  • Resource-intensive: Rkhunter can consume significant system resources during scans.
  • False positives: Rkhunter may generate false positive results, which can be time-consuming to investigate.

FAQ

How often should I run Rkhunter?

Rkhunter should be run regularly, ideally once a week, to ensure that your system remains secure.

Can I use Rkhunter with other security tools?

Yes, Rkhunter can be used in conjunction with other security tools, such as antivirus software and firewalls.

Is Rkhunter compatible with all Linux distributions?

Rkhunter is designed to be compatible with most Linux distributions, but it may not work with all distributions. Check the Rkhunter website for a list of supported distributions.

Related articles

Other programs

osquery

osquery — SQL Lens on System State Why It Matters Admins spend time piecing together info: ps, netstat, digging through /var/log. Every system looks a bit different, and scripts pile up fast. osquery flips it around. It treats the OS as a database. System info becomes rows and tables you can query with SQL. Instead of custom scripts per host, you get one language to ask questions across Linux, macOS, and Windows.

ZoneAlarm

ZoneAlarm — Personal Firewall and Security Suite for Windows Why It Matters ZoneAlarm has been around since the early 2000s, one of the first personal firewalls that regular users actually installed. While Windows now ships with its own firewall, ZoneAlarm kept a niche by adding extras: application control, phishing protection, and even antivirus in paid versions. For admins, it’s less about enterprise deployment and more about individual desktops or small offices that want stronger outbound con

Zeek

Zeek — Network Security Monitor Why It Matters Signature-based IDS tools scream when they see something they know. Zeek works differently. It doesn’t just throw alerts; it records what’s going on in the network in detail. Logs for connections, DNS lookups, HTTP sessions, TLS handshakes. That context matters: instead of one-off alerts, analysts see the bigger picture. That’s why many SOCs keep Zeek running as a core data source.

YARA

YARA — Pattern Matching for Malware Research Why It Matters Antivirus engines often feel like black boxes — they detect, but you don’t see how. YARA flips that around. It lets researchers and incident responders write their own rules to spot malware families or suspicious files. Over the years it became a standard in threat hunting: when someone says “we shared YARA rules,” they mean reusable patterns for catching malware or IoCs.

Wazuh

Wazuh — Open-Source SIEM and Security Platform Why It Matters OSSEC was good as a host intrusion detection system, but it felt dated. Wazuh grew out of OSSEC and expanded into something closer to a full SIEM. It doesn’t just watch logs on one host — it can collect data from endpoints, cloud services, containers, and feed it all into dashboards. For admins, it means one platform that covers intrusion detection, file integrity, vulnerability checks, and compliance reporting.

Tripwire

Tripwire — Classic File Integrity Monitor Why It Matters Break-ins aren’t always obvious. No noisy alerts, no big red flags — just one binary swapped out, or a config file quietly edited. Tripwire was built for that job: checking if critical files change when they shouldn’t. It’s one of the oldest tools in the space, but admins still use it as a simple integrity watchdog.

+1 (415) 784-2297

Speak with our team

info@armosecure.com

Chat with our team

Oak Avenue, Suite

Contact with our team

Twitter Reddit Telegram Facebook Youtube
Main pages
Utility pages
© 2015–2025

Privacy policy

Submit your application