Security

Malware Scanning (rkhunter + ClamAV)

Detect rootkits and viruses on your VPS with rkhunter and ClamAV.

Even a well-configured VPS can be compromised. These tools help detect:

  • rkhunter: rootkits, backdoors, modified system files
  • ClamAV: viruses, malware, suspicious files in user directories

rkhunter: Rootkit Detection

Installation

# Debian / Ubuntu
apt install rkhunter -y

# AlmaLinux / CentOS
dnf install rkhunter -y

Initial Configuration

# Update the database
rkhunter --update

# Record the current "good" state of the system
rkhunter --propupd

Important

Run --propupd BEFORE installing new software, otherwise rkhunter will report false positives for the new files.

Manual Scan

rkhunter --check --sk

Typical clean output:

System checks summary
=====================
File properties checks...
  Files checked: 148
  Suspect files: 0

Rootkit checks...
  Rootkits checked : 497
  Possible rootkits: 0

Applications checks...
  All checks skipped

The system checks took: 1 minute and 24 seconds

All results have been written to the log file: /var/log/rkhunter.log

Email Alert Configuration

nano /etc/rkhunter.conf
# Email notifications
MAIL-ON-WARNING="admin@yourdomain.com"
MAIL_CMD=mail -s "[rkhunter] Warning found on $(hostname)"

# Show only warnings (not info)
REPORT_EMAIL_WARNINGS_ONLY=1

# Whitelist common false positives
SCRIPTWHITELIST=/usr/sbin/adduser
SCRIPTWHITELIST=/usr/bin/ldd

Automation with cron

crontab -e
# Scan every day at 3:00 AM
0 3 * * * /usr/bin/rkhunter --cronjob --update --quiet 2>&1 | mail -s "rkhunter $(hostname)" admin@yourdomain.com

ClamAV: Antivirus

Useful for servers that handle file uploads (hosting, mail server, FTP).

Installation

# Debian / Ubuntu
apt install clamav clamav-daemon -y

# AlmaLinux / CentOS
dnf install clamav clamd clamav-update -y

Update Virus Database

# Stop the daemon temporarily for update
systemctl stop clamav-freshclam
freshclam
systemctl start clamav-freshclam

Scan Directories

# Scan /var/www with automatic removal of infected files
clamscan -r /var/www --remove --log=/var/log/clamav-scan.log

# Scan without removing (report only)
clamscan -r /home --log=/var/log/clamav-scan.log

# Only infected files in report
clamscan -r /var/www -i --log=/var/log/clamav-scan.log

Weekly Automation

crontab -e
# Every Sunday at 2:00 AM
0 2 * * 0 /usr/bin/clamscan -r /var/www -i --log=/var/log/clamav-weekly.log && mail -s "ClamAV scan $(hostname)" admin@yourdomain.com < /var/log/clamav-weekly.log

ClamAV Daemon (Real-Time Scanning)

For mail servers or upload file servers, enable the daemon:

systemctl enable --now clamav-daemon
systemctl status clamav-daemon
  1. At server setup: install both, run rkhunter --propupd
  2. Weekly: automatic rkhunter + ClamAV scan of public directories
  3. On anomalies: full manual scan + analyze /var/log/rkhunter.log

False Positives

rkhunter often reports Perl files, system scripts, and updated binaries. Always check the log before alarming. Use ALLOWHIDDENDIR and SCRIPTWHITELIST in rkhunter.conf to exclude confirmed false positives.

DDoS: Traffic Analysis and Dump

How to capture and analyze traffic during a DDoS attack to identify the type and origin

CrowdSec: Collaborative Protection Against Attacks

Install CrowdSec as a modern alternative to Fail2ban. Block malicious IPs in real-time thanks to shared threat intelligence from the community.

On this page

rkhunter: Rootkit DetectionInstallationInitial ConfigurationManual ScanEmail Alert ConfigurationAutomation with cronClamAV: AntivirusInstallationUpdate Virus DatabaseScan DirectoriesWeekly AutomationClamAV Daemon (Real-Time Scanning)Recommended Workflow