⚠️ Critical Warnings
- Performance Impact: These scanners place excessive load on your server, significantly degrading site performance during scans.
- Resource Consumption: Scanners will consume CPU cores and memory, leaving minimal resources for your websites.
- Scheduling: Always run scans during quiet periods when your sites receive minimal traffic.
- Offensive Names: During rootkit scans, some detected malware names may be offensive. This is beyond our control.
- High Resource Requirements: ClamAV has particularly high resource requirements and should be run on-demand only, not as a background service.
- Configuration Warnings: You may receive errors about missing clamdb.conf files - these can be safely ignored since we're running ClamAV on-demand.
Resource Impact During Scanning
CPU Usage
~80%
Memory Usage
~80%
SWAP Usage
~50%
📖 Overview
This guide covers the installation and configuration of two essential security tools for your Ubuntu server:
ClamAV - Antivirus Engine
A free and open-source antivirus engine designed to detect malware, viruses, and other malicious programs on your server.
RKHunter - Rootkit Detection
A free tool that scans for backdoors, rootkits, and other vulnerabilities. Rootkits are software tools that enable unauthorized users to gain control of a server without detection.
🔧 ClamAV Installation & Configuration
Step 1: Update Package List
Before installing any package, always update the package list:
sudo apt updateStep 2: Upgrade Existing Packages
Update any packages that need upgrading using the server_updates alias:
server_updatessudo apt update && sudo apt upgrade -y && sudo apt autoremove -y
Step 3: Install ClamAV
sudo apt install clamavStep 4: Disable Automatic Updates
We want to control when ClamAV updates its definitions, so we'll disable the automatic freshclam service:
sudo systemctl stop clamav-freshclamsudo systemctl disable clamav-freshclamStep 5: Manual Database Updates
To manually update the antivirus database when needed:
sudo freshclamStep 6: Running Manual Scans
To perform a recursive scan of a directory:
sudo clamscan -r /path/to/scanExample: Scanning a WordPress site's wp-content directory:
sudo clamscan -r /var/www/example.com/public_html/wp-contentClamAV Workflow
🔍 RKHunter Installation & Configuration
Step 1: Install RKHunter
sudo apt install rkhunterStep 2: Update Database Definitions
After installation, update the RKHunter database:
sudo rkhunter --propupdStep 3: Run a Complete Scan
Execute a full system scan with automatic keypress skip:
sudo rkhunter --checkall --sk--checkall: Performs a complete system check--sk(--skip-keypress): Allows the scan to run uninterrupted without manual confirmation
Step 4: Review Scan Results
View the complete log file:
sudo cat /var/log/rkhunter.logOr use less for easier navigation:
sudo less /var/log/rkhunter.logFilter for warnings only:
sudo cat /var/log/rkhunter.log | grep warningStep 5: Disable Automatic Scans
Remove RKHunter from daily cron jobs:
cd /etc/cron.daily/sudo rm rkhunterRemove RKHunter from weekly cron jobs:
cd /etc/cron.weekly/sudo rm rkhunterRKHunter Workflow
📊 Monitoring Resource Usage
To monitor system resources during scans, open a second terminal window and run:
htopExpected Resource Usage
| State | CPU Usage | Memory Usage | SWAP Usage |
|---|---|---|---|
| Before Scan | < 1% | < 200 MB | ~300 MB / 2 GB |
| During ClamAV Scan | ~80% (all cores) | ~80% | ~50% |
| During RKHunter Scan | ~100% (all cores) | Moderate | Variable |
🔄 Typical Scan Workflow
Complete On-Demand Scanning Process
Update and Run ClamAV
sudo freshclamsudo clamscan -r /path/to/scanUpdate and Run RKHunter
sudo rkhunter --propupdsudo rkhunter --checkall --sk⚠️ Common Warnings and Resolution
ClamAV Warnings
RKHunter Warnings
Example warnings you might encounter:
- Hidden file found: /etc/.resolv.conf
- File not updated: Files in certain directories that haven't been modified
✅ Security Best Practices
- Schedule Scans Wisely: Always run scans during low-traffic periods (late night or early morning).
- Regular Updates: Before each scan, update the virus/rootkit definitions using freshclam and --propupd.
- Review Logs Thoroughly: Don't ignore warnings - investigate each one or seek expert advice.
- Disable Automatic Updates: Manual control prevents unexpected resource consumption.
- Monitor Resources: Use htop or similar tools to track system load during scans.
- Restrict File Uploads: Minimize or eliminate user file uploads to your server - this is a major security risk.
- Test First: Run initial scans on test/staging servers to understand resource impact.
- Document Results: Keep records of scan results and any actions taken.
🚫 Critical Security Recommendation
File Upload Security
Strong Recommendation: Do not allow any form of file uploads on your server.
Allowing users to upload files to your server is extremely dangerous and represents one of the most significant security vulnerabilities. Even with scanning tools in place, there are numerous ways malicious actors can compromise your server through file uploads.
If file uploads are absolutely necessary, implement multiple layers of security including:
- Strict file type validation
- File size limitations
- Automatic scanning of all uploads
- Isolated storage locations
- Regular security audits
📋 Quick Reference Commands
| Task | Command |
|---|---|
| Install ClamAV | sudo apt install clamav |
| Stop Freshclam Service | sudo systemctl stop clamav-freshclam |
| Disable Freshclam Service | sudo systemctl disable clamav-freshclam |
| Update ClamAV Database | sudo freshclam |
| Run ClamAV Scan | sudo clamscan -r /path/to/scan |
| Install RKHunter | sudo apt install rkhunter |
| Update RKHunter Database | sudo rkhunter --propupd |
| Run RKHunter Scan | sudo rkhunter --checkall --sk |
| View RKHunter Log | sudo cat /var/log/rkhunter.log |
| Filter for Warnings | sudo cat /var/log/rkhunter.log | grep warning |
| Monitor Resources | htop |