How to Run a Linux Server Security Audit on Webmin Using rkhunter, Lynis, and ClamAV

Priya

Content Writer & Researcher

Last Updated: 8 June 2026

How to Run a Linux Server Security Audit on Webmin Using rkhunter, Lynis, and ClamAV

🖥️

Need Ongoing Security Auditing for Your Webmin Server?

Weekly rkhunter and Lynis runs catch most issues — but CloudHouse's managed security service goes deeper: continuous monitoring, incident response, and hardening that keeps your score above 80 every month.

🔧 Book Free Diagnosis Call Now WhatsApp

🖥️12,400+PCs Fixed

⭐4.9★Google Rating

⚡<15 minAvg. Response

🛡️ISO 27001Certified

Running a Webmin-managed Linux server without regular security audits is like leaving your front door unlocked and hoping no one tries it. Firewalls and fail2ban protect against brute-force attacks, but they don't detect rootkits already installed, misconfigurations that expose you to privilege escalation, or malware hiding in web directories. This guide walks you through a complete server security audit using three complementary tools — rkhunter (rootkit detection), Lynis (system hardening audit), and ClamAV (malware scanning) — and shows you how to automate the entire process from Webmin.

Why You Need All Three Tools

Each tool covers a different layer of server security:

rkhunter — scans for known rootkits, backdoors, and suspicious system binary changes by comparing file hashes against a known-good baseline
Lynis — performs a comprehensive security configuration audit: SSH hardening, kernel parameters, file permissions, service configurations, and compliance scoring
ClamAV — scans file content for known malware signatures, infected PHP files, web shells, and email-borne threats

Together they form a layered detection approach: rkhunter catches system-level compromise, Lynis identifies configuration weaknesses before they're exploited, and ClamAV finds malware already in your web directories.

💡 None of these worked? Skip the guesswork.

Get Expert Help →

Step 1: Install and Configure rkhunter

1Install rkhunter

# On RHEL/CentOS/AlmaLinux:
yum install rkhunter -y

# On Debian/Ubuntu:
apt-get install rkhunter -y

# Verify installation:
rkhunter --version

2Update the rootkit database

rkhunter --update
rkhunter --propupd

The --propupd flag creates a baseline of your current system file properties (MD5 hashes, permissions, owners). Run this immediately after a clean install so rkhunter has a known-good reference to compare against.

3Run the first scan

rkhunter --check --sk --rwo 2>&1 | tee /var/log/rkhunter_$(date +%Y%m%d).log

--sk skips the keypress prompts (for scripted runs)
--rwo prints only warnings and errors, not the full scan output

Review warnings carefully. Common false positives include cPanel or Plesk tools that modify system binaries — these should be whitelisted in /etc/rkhunter.conf rather than ignored. Genuine red flags are warnings about hidden processes, strings in kernel memory, or mismatched hashes on system commands like /bin/ps, /bin/netstat, or /usr/sbin/sshd.

4Whitelist known-safe scripts to reduce false positives

Edit /etc/rkhunter.conf and add:

# Whitelist custom scripts or paths that trigger false positives:
SCRIPTWHITELIST=/usr/sbin/adduser
ALLOWHIDDENDIR=/dev/.udev
ALLOWHIDDENFILE=/dev/.blkid.tab

1Install Lynis

# On RHEL/CentOS/AlmaLinux:
yum install lynis -y

# On Debian/Ubuntu:
apt-get install lynis -y

# Alternatively, install the latest version from the Lynis project:
cd /opt && git clone https://github.com/CISOfy/lynis && cd lynis

2Run a full system audit

lynis audit system 2>&1 | tee /var/log/lynis_$(date +%Y%m%d).log

The audit takes 2-5 minutes and covers over 300 security checks. Pay attention to the Hardening index score at the end — a score below 65 out of 100 means your server has significant security weaknesses.

3Interpret the most important Lynis findings

Lynis outputs suggestions in three categories:

WARNING — active security risk, fix immediately
SUGGESTION — hardening improvement, fix when possible
INFO — informational, no immediate action needed

The most impactful fixes are usually:

# SSH hardening (from Lynis suggestion SSH-7408):
# Edit /etc/ssh/sshd_config and set:
Protocol 2
PermitRootLogin no
MaxAuthTries 3
PasswordAuthentication no  # (only after setting up SSH keys)
AllowUsers your_admin_user

# Kernel hardening (from Lynis suggestion KRNL-6000):
# Edit /etc/sysctl.conf and add:
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.log_martians = 1
kernel.randomize_va_space = 2

# Apply kernel settings immediately:
sysctl -p

4Fix common Lynis warnings for Webmin servers

# AUTH-9286: Check for empty password fields in /etc/shadow
awk -F: '($2 == "" ) { print $1 " has no password" }' /etc/shadow

# FILE-7524: World-writable files (common in web directories)
find /home /var/www -perm -o+w -type f 2>/dev/null | head -20

# FIRE-4508: Check that a firewall is active
systemctl status firewalld || iptables -L -n | head -5

1Install ClamAV

# On RHEL/CentOS/AlmaLinux:
yum install clamav clamd clamav-update -y

# On Debian/Ubuntu:
apt-get install clamav clamav-daemon -y

# Update virus definitions immediately:
freshclam

2Scan web directories for malware and PHP shells

# Scan all web roots — adjust path for your setup:
clamscan -r --infected --remove=no --log=/var/log/clamav_$(date +%Y%m%d).log   /home /var/www /usr/share/webapps 2>/dev/null

# For a faster scan of only PHP files (where web shells hide):
find /home /var/www -name "*.php" |   clamscan --infected --log=/var/log/clamav_php_$(date +%Y%m%d).log -f -

Use --remove=no on the first run to review infected files before deletion. Never auto-delete without reviewing — false positives can remove legitimate plugin files.

3Review and quarantine infected files

# View scan results:
grep "FOUND" /var/log/clamav_$(date +%Y%m%d).log

# Move infected files to quarantine (don't delete yet):
mkdir -p /root/quarantine/$(date +%Y%m%d)
grep "FOUND" /var/log/clamav_$(date +%Y%m%d).log |   awk '{print $1}' | sed 's/://' |   xargs -I{} mv {} /root/quarantine/$(date +%Y%m%d)/

1Add rkhunter to Webmin Scheduled Commands

Webmin → System → Scheduled Commands → Add Scheduled Command:

Command: rkhunter --update && rkhunter --check --sk --rwo --logfile /var/log/rkhunter_weekly.log
Run as: root
Schedule: Weekly (Sunday at 3:00 AM)

2Add Lynis audit to Scheduled Commands

Command: lynis audit system --quiet --logfile /var/log/lynis_weekly.log
Schedule: Weekly (Sunday at 3:30 AM)

3Add ClamAV scan to Scheduled Commands

Command: freshclam && clamscan -r --infected --log=/var/log/clamav_weekly.log /home /var/www
Schedule: Weekly (Sunday at 4:00 AM)

4View logs in Webmin

Webmin → System → System Logs → add the log file paths (/var/log/rkhunter_weekly.log, /var/log/lynis_weekly.log, /var/log/clamav_weekly.log) as watched log files for easy review from the panel.

Step 5: Email Alerts for Critical Findings

Configure each tool to send email alerts when it finds something serious:

# rkhunter email alerts — add to /etc/rkhunter.conf:
MAIL-ON-WARNING=admin@yourdomain.com
MAIL_CMD=mail -s "[rkhunter] WARNING: $(hostname)"

# Lynis email (wrap in a script):
cat > /usr/local/bin/lynis-audit.sh << 'EOF'
#!/bin/bash
lynis audit system --quiet
SCORE=$(grep "Hardening index" /var/log/lynis.log | tail -1 | awk '{print $NF}')
if [ "$SCORE" -lt 70 ]; then
  mail -s "[Lynis] Security score dropped: $SCORE/100 on $(hostname)"     admin@yourdomain.com < /var/log/lynis.log
fi
EOF
chmod +x /usr/local/bin/lynis-audit.sh

Webmin Security Audit Checklist

Run rkhunter --propupd immediately after any system update to refresh the baseline
Check rkhunter --list tests=all to understand what each test checks
Re-run Lynis monthly and track the hardening score — a dropping score indicates new misconfigurations
Keep ClamAV virus definitions updated via freshclam — stale definitions miss current threats
Review quarantined files before deleting — false positives are common in cached WordPress files
After fixing Lynis warnings, run lynis audit system again to confirm the score improved

A security audit is a point-in-time snapshot, not a permanent solution. New vulnerabilities, installed scripts, and configuration drift all introduce risk over time. If you're managing multiple Webmin servers and want continuous security monitoring rather than weekly manual checks, CloudHouse's managed server team provides ongoing security auditing, hardening, and incident response as part of our server management service.

Get the Free Linux Server Admin Cheatsheet (PDF)

Essential commands for server management, networking, and troubleshooting — all on one printable page.

Running Linux servers? Let us manage them for you.

Our Managed Linux Server plans cover updates, security hardening, monitoring, and 24/7 incident response — so your servers stay up and your team stays focused.

Proactive OS patching and security updates
24×7 monitoring with instant alerting
Backup configuration and disaster recovery
Dedicated Linux engineers on call

See Pricing Plans →

What our customers say

“Our production server went down at 2 AM. CloudHouse had it back online in under 20 minutes. Incredible response time.”

Arun S.

CTO, SaaS Startup

“They migrated our entire infrastructure from Ubuntu 18 to 22 with zero downtime. Couldn't have asked for better.”

Deepak N.

DevOps Lead

Frequently Asked Questions

rkhunter focuses on detecting rootkits and backdoors by comparing system binary hashes against a known-good baseline. Lynis performs a configuration security audit — checking SSH settings, kernel parameters, file permissions, and service hardening — and gives you a hardening score with actionable fixes. ClamAV scans file content for known malware signatures and is most effective at finding infected PHP files and web shells in your web directories. Together the three tools cover system compromise, configuration risk, and file-level malware.

Book your free 15-minute diagnosis

A certified technician will call you back within 15 minutes during business hours.

Share this article

Comments (0)

Loading comments...