Back to DocsEven a well-configured VPS can be compromised. These tools help detect:
- rkhunter: rootkits, backdoors, modified system files
- ClamAV: viruses, malware, suspicious files in user directories
rkhunter: Rootkit Detection
Installation
# Debian / Ubuntu
apt install rkhunter -y
# AlmaLinux / CentOS
dnf install rkhunter -y
Initial Configuration
# Update the database
rkhunter --update
# Record the current "good" state of the system
rkhunter --propupd
Run --propupd BEFORE installing new software, otherwise rkhunter will report false positives for the new files.
Manual Scan
rkhunter --check --sk
Typical clean output:
System checks summary
=====================
File properties checks...
Files checked: 148
Suspect files: 0
Rootkit checks...
Rootkits checked : 497
Possible rootkits: 0
Applications checks...
All checks skipped
The system checks took: 1 minute and 24 seconds
All results have been written to the log file: /var/log/rkhunter.log
Email Alert Configuration
nano /etc/rkhunter.conf
# Email notifications
MAIL-ON-WARNING="admin@yourdomain.com"
MAIL_CMD=mail -s "[rkhunter] Warning found on $(hostname)"
# Show only warnings (not info)
REPORT_EMAIL_WARNINGS_ONLY=1
# Whitelist common false positives
SCRIPTWHITELIST=/usr/sbin/adduser
SCRIPTWHITELIST=/usr/bin/ldd
Automation with cron
crontab -e
# Scan every day at 3:00 AM
0 3 * * * /usr/bin/rkhunter --cronjob --update --quiet 2>&1 | mail -s "rkhunter $(hostname)" admin@yourdomain.com
ClamAV: Antivirus
Useful for servers that handle file uploads (hosting, mail server, FTP).
Installation
# Debian / Ubuntu
apt install clamav clamav-daemon -y
# AlmaLinux / CentOS
dnf install clamav clamd clamav-update -y
Update Virus Database
# Stop the daemon temporarily for update
systemctl stop clamav-freshclam
freshclam
systemctl start clamav-freshclam
Scan Directories
# Scan /var/www with automatic removal of infected files
clamscan -r /var/www --remove --log=/var/log/clamav-scan.log
# Scan without removing (report only)
clamscan -r /home --log=/var/log/clamav-scan.log
# Only infected files in report
clamscan -r /var/www -i --log=/var/log/clamav-scan.log
Weekly Automation
crontab -e
# Every Sunday at 2:00 AM
0 2 * * 0 /usr/bin/clamscan -r /var/www -i --log=/var/log/clamav-weekly.log && mail -s "ClamAV scan $(hostname)" admin@yourdomain.com < /var/log/clamav-weekly.log
ClamAV Daemon (Real-Time Scanning)
For mail servers or upload file servers, enable the daemon:
systemctl enable --now clamav-daemon
systemctl status clamav-daemon
Recommended Workflow
rkhunter often reports Perl files, system scripts, and updated binaries. Always check the log before alarming. Use ALLOWHIDDENDIR and SCRIPTWHITELIST in rkhunter.conf to exclude confirmed false positives.
- At server setup: install both, run rkhunter --propupd
- Weekly: automatic rkhunter + ClamAV scan of public directories
- On anomalies: full manual scan + analyze /var/log/rkhunter.log
Related articles
Base Server Hardening
Checklist of fundamental security operations to secure a new VPS before putting it into production
Fail2ban: Brute Force Protection
How to install and configure Fail2ban to protect your server from SSH and web brute force attacks
Change SSH Port
How to change SSH port to reduce automatic brute force attempts from bots and scanners on the internet
DeluxHost, founded in 2023, offers high-quality hosting solutions for various digital needs. We provide shared hosting, VPS, and dedicated servers with advanced security and global data centers.
