Installing and configuring Rootkit Hunter (rkhunter) on a cPanel/WHM server running CloudLinux β including best practices for integration and automation:
Rootkit Hunter (rkhunter) is a vital security scanner for Linux servers, especially those running web hosting environments like cPanel/WHM with CloudLinux. It helps detect:
- Rootkits
- Backdoors
- Local exploits
- Malicious hidden files
- Tampered system binaries
β Benefits for cPanel/CloudLinux Environments
- Scans core system binaries and detects common server compromises
- Works well alongside Imunify360 and CSF/LFD for layered security
- Detects changes outside of CageFS chroot environments
- Sends alerts when suspicious activity is detected at the OS level
π§ Installation
Option 1 β Install via YUM (Preferred for CloudLinux/CentOS/AlmaLinux):
yum install rkhunter -yOption 2 β Manual Install (If newer version needed):
cd /usr/local/src
wget http://scripts.hostxnow.com/rkhunter-1.4.0.tar.gz
tar -xzf rkhunter-1.4.0.tar.gz
cd rkhunter-1.4.0
./installer.sh --installπ Update rkhunter
Immediately update its database after installation:
rkhunter --updateThen update the system file properties baseline:
rkhunter --propupd
If you get warnings about files (like WHM/cPanel binaries), they can be safely excluded using:
nano /etc/rkhunter.confLook for and edit:
ALLOWHIDDENDIR=/usr/local/cpanel
ALLOWHIDDENFILE=/usr/local/cpanel/whostmgr/docroot/.cpanel/cachesπ Manual Scans
Run a full check (interactive):
rkhunter -cSkip interactive prompts (recommended for automation):
rkhunter -c -skπ§ Weekly Email Reports with Cron
Create a weekly cronjob to scan and email the results:
nano /etc/cron.weekly/rkhunter.shPaste:
#!/bin/sh
(
/usr/bin/rkhunter --versioncheck
/usr/bin/rkhunter --update
/usr/bin/rkhunter --cronjob --summary
) | /bin/mail -s "rkhunter Report - $(hostname)" [email protected]Make it executable:
chmod 750 /etc/cron.weekly/rkhunter.shMake sure mailx is installed and configured:
yum install mailx -yReplace [email protected] with your actual email.
π Adjust rkhunter.conf for cPanel/CloudLinux
Open the config file:
nano /etc/rkhunter.confUpdate this if needed (especially on CloudLinux):
SCRIPTDIR=/usr/libexec/rkhunter/scriptsAdd exceptions to prevent false positives:
ALLOWHIDDENDIR=/etc/apache2/logs
ALLOWHIDDENFILE=/usr/local/cpanel/3rdpartyπ€ Integration Tips with Imunify360 & CSF
- Imunify360 and rkhunter complement each other: Imunify360 monitors active threats and file injection, while rkhunter scans OS integrity.
- rkhunter logs are not overridden by Imunify360, so you can use both safely.
- You can optionally integrate rkhunter logs into CSF/LFD alerts by editing:
nano /etc/csf/csf.logfilesAdd:
/var/log/rkhunter.logThen restart CSF:
csf -rπ Log Location
All scan results are saved here:
/var/log/rkhunter.logβ Final Checklist
| Task | Status |
|---|---|
| Installed via YUM | β |
| Configured exceptions | β |
| Updated hash properties | β |
| Created cron job | β |
| Integrated with CSF/LFD | β (Optional) |