skip_to_content()
← back_to_lab()
SecuritySysAdminLinux

Rkhunter: Implementing Proper Email Alerts for Rootkit Detection

A guide to configuring rkhunter with smart email notifications that only alert you when actual threats are detected, eliminating false positive noise.

If you manage Linux servers, you’ve likely encountered rkhunter (Rootkit Hunter) – an essential security tool that scans for rootkits, backdoors, and local exploits.

While rkhunter is excellent at detection, its default email notifications leave much to be desired. The built-in --cronjob option sends an email after every scan, regardless of whether any threats were found. For servers running daily scans, this creates alert fatigue – your inbox fills with routine “all clear” messages, making it easy to miss actual security warnings.

The Problem

The default cron configuration looks like this:

rkhunter --cronjob --update --quiet

This sends an email every single time, even when the scan is clean. Not ideal.

The Solution: Smart Email Alerts

I’ve written a wrapper script that only sends email notifications when rkhunter actually finds something concerning.

Implementation

Create a new script at /etc/cron.daily/rkhunter:

#!/bin/bash
#
# Rkhunter Smart Email Alert
# Only sends notifications when warnings are detected
#
# Author: Sebastiano Montino
# License: MIT
#

# Configuration
MAILTO="[email protected]"
SUBJECT="[$(hostname -s)] rkhunter Security Alert"
LOGFILE="/var/log/rkhunter.log"

# Run rkhunter with database update
/usr/bin/rkhunter --update --quiet
/usr/bin/rkhunter --cronjob --report-warnings-only

# Check for warnings in the log
WARNINGS=$(grep -c "Warning:" "$LOGFILE")

if [ "$WARNINGS" -gt 0 ]; then
    # Threats detected - send alert
    echo "rkhunter has detected $WARNINGS warning(s) on $(hostname)" | \
    mail -s "$SUBJECT" -a "$LOGFILE" "$MAILTO"
fi

# Clean up old database lock files
rm -f /var/lib/rkhunter/db/rkhunter.dat.lock

Key Features

  1. Silent when clean: No emails unless issues are found
  2. Includes log attachment: Full scan details attached to alert emails
  3. Database auto-update: Keeps rkhunter signatures current
  4. Lock file cleanup: Prevents stale lock file issues

Configuration

  1. Replace [email protected] with your actual email address
  2. Make the script executable: chmod +x /etc/cron.daily/rkhunter
  3. Remove the default rkhunter cron job if it exists

Testing

Run the script manually to verify it works:

/etc/cron.daily/rkhunter

If your system is clean, you should receive no email. To test the alert mechanism, you can temporarily modify the script to send alerts on zero warnings.

Advanced: Multi-Server Setup

For environments with multiple servers, consider centralizing alerts:

# Add server identification
HOSTNAME=$(hostname -f)
SUBJECT="[SECURITY] $HOSTNAME - rkhunter Alert"

# Include timestamp
DATE=$(date "+%Y-%m-%d %H:%M:%S")
echo "[$DATE] rkhunter detected $WARNINGS warning(s) on $HOSTNAME"

Conclusion

This simple modification transforms rkhunter from a noisy daily reporter into a true security sentinel – silent when everything is fine, but immediately alerting you when attention is needed.

Remember: the best security alert system is one that only alerts you when it matters.

Have questions about Linux server security? Feel free to reach out.