I checked my system with rkhunter

I didn’t find any other section to post this, so here I am…
I just checked my system with rkhunter and it remind me to a couple possibilities of rootkits and others warnings.
What I have to do now? I mean, what I have to check and/or how to find/remove them?

Thanks in advance.

Would be good to post what and which for people to review them.

Also, they might be false positives:

:eye: https://wiki.archlinux.org/title/Rkhunter#False_positives

1 Like

A warnings returned for the ssh check for root acces allowing and another for the check of the ssh protocol v1 allowing.
Then, another warnings returned for the check for hidden files and directories and another one after checking for suspicious (large) shared memory segment (for this last one, could it means for ram? I added more module a couple days ago…)

Personally, I am not familiar with the specifics of rkhunter.
I would however look at /var/log/rkhunter.log and search the www for those warnings while waiting for other members to chime in.

Posting the log here is safe?

What do you suggest to use?

It should be.
There doesn’t seem to be any personally identifiable information in there.

I haven’t been using any such things for a very long time. I’m afraid I have no suggestions as what to use. Hopefully other users with more insight to such pieces of software would give you some suggestions.

In the server device, you should try doing this and see if it fixes “ssh check for root access allowing”.
In the server, edit
uncomment the PermitRootLogin line and change it to no so that it looks like this.

PermitRootLogin no

As for the enabled ssh V1, in the same config file for your server device, there may be a line as

Protocol 1,2

I believe that at one time when protocol 2 was introduced, this line existed. But I haven’t seen this for a long time.

I checked my server and my /etc/ssh/sshd_config file does not have this line. If you find this line in your config file, either comment it out or change to

Protocol 2


rkhunter seems to be old. The latest release seems to be from February 2018. See http://rkhunter.sourceforge.net/

Perhaps lynis is better.


I didn’t know lynis, and it is certainly far better than any other root detector.

Fortunately it provides a summary at the end, otherwise the (supposed) non-compliances and deficiencies would be intimidating. The problem with almost all security tools is that they are good at finding problems but bad at stating whether a problem actually matters or not.

In my case all it eventually got worried about was the system clock not being synchronised via ntp for over a day, and there only being one DNS server (mullvad only has one) :hot_face:

I have no server device

I already installed it. The audit show me different problems in the kernel section abour symlinks, ipv4 and stuff like that, but my ignorance suggest to me that it could be some ‘hack’ configuration from Arch. Could it be?

The output from tools like lynis and rkhunter are not always things that you need to fix. They provide insights and identify risks which need need to be analyzed.

If you are running sshd on your PC, it is the “server”.