Security Scanning
from Zenlix@lemmy.ml to selfhosted@lemmy.world on 14 Apr 17:04
https://lemmy.ml/post/45928238

Hey guys. I have a few selfhosted systems that are available to the public. Its getting difficult to notice if any wrong port is still open or some web server is out of date. I am looking for a (foss) tool that can reguarly monitor my systems (via their public ip/domain) and notify me if any port that I not specifically allowed (in a config) is open. Additionally it would be cool if it checked all open ports if they provide out of date software (like webservers) or known security issues.

I found nikto, but it feels like its doing only half of what I want. greenbone feels way to bloated for my use case.

Do you know any kind of software that would do something like that?

#selfhosted

threaded - newest

CallMeAl@piefed.zip on 14 Apr 17:14 next collapse

I use a self hosted Wazuh server. There is a lot to it but its very comprehensive.

frongt@lemmy.zip on 14 Apr 17:16 next collapse

Greenbone is the foss equivalent to nessus, and it does what you are looking for.

uenticx@lemmy.world on 14 Apr 17:19 next collapse

Its getting difficult to notice if any wrong port is still open or some web server is out of date

This isn’t generally done with security scanners unless you’re running hundreds of nodes. Use iptables rules with inclusive rules only to block ports. Keep your software inventoried for the rest, or some sort of basic configuration management.

If you don’t have these basics, what good is a scanner going to do for you?

besmtt@lemmy.world on 14 Apr 19:26 next collapse

Would shodan work for at least some of what you’re looking for?

frongt@lemmy.zip on 14 Apr 20:18 collapse

Yes, but it’s not foss.

LeTak@feddit.org on 14 Apr 19:32 next collapse

I used Nessus for a while and I heard that OpenVAS could be a good FOSS alternative to it.

irmadlad@lemmy.world on 14 Apr 19:34 collapse

+1 for Nessus - pretty comprehensive scans

matsdis@piefed.social on 14 Apr 19:50 next collapse

After I fiddle with the firewall rules (or a system install or major upgrade) I usually only do a quick portscan with nmap from another box. (TCP and UDP; only IPv4 only because I disabled IPv6 completely.) There are online port-scan services too, but you never know if they also invite the bots.

I agree with others here that vulnerability-scanning your own applications seems overkill. Like with external virus scanners, I always feel they are just as likely the attack vector themselves. The more complexity, the more risk.

What I do is:

  1. Enable unattended system updates (on Debian stable) and automated reboots. And sometimes check if it actually still works.
  2. Firewall configuration with a whitelist for public ports, and as a second layer:
  3. configure internal services to listen only on localhost, or to filter access by ip/netmask, and
  4. put something in front of services that don’t need general public access. (A wireguard tunnel, or HTTP basic auth in your reverse-proxy.)
  5. if you expose ssh to the public, make there is some extra step that prevents you from exposing a test user you just created. I’m using the AllowUsers user whitelist, but KbdInteractiveAuthentication no should be good enough too. If the failed login attempts by the bots bother you, you could run sshd on a non-standard port.
  6. stop services you no longer use, or at least remove public access.
  7. If you have a complex service that needs to be fully public (say a video conference solution, I wouldn’t worry much about a simple static web server) then isolate it from everything else somehow. Ideally on a separate box, make sure it cannot access the internal network, make sure it cannot access any files it doesn’t need. And install those security patches.

Something else I always wanted to do (but never got around doing) is to create a simple canary intrusion detection. Like, putting some important-looking “prod” host into ~/.ssh/config and a private ssh key, and configure the target host to send me a SMS instead when this key tries to log in. (Or even shut everything down automatically.) This should prevent me from becoming part of a botnet for months unnoticed, maybe.

Decronym@lemmy.decronym.xyz on 14 Apr 20:00 next collapse

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
TCP Transmission Control Protocol, most often over IP
UDP User Datagram Protocol, for real-time communications

4 acronyms in this thread; the most compressed thread commented on today has 5 acronyms.

[Thread #237 for this comm, first seen 14th Apr 2026, 20:00] [FAQ] [Full list] [Contact] [Source code]

Hippy@piefed.social on 14 Apr 20:24 collapse

Proper routers can be used to effectively firewall your services from the net (Cisco/Aruba/Juniper/Fortigate etc). Mikrotik is the cheapest.

For example, on a Mikrotik router in the IP filter rules: Rule 1 - drop input traffic from a custom blacklist. Rule 2 - accept input traffic that you want to port forward to your server. Rule 3 - accept established and related traffic (tcp sessions that have passed SYN ACK stage). Rule 4 - add source IP to blacklist for input traffic that you dont want to port forward to your server. Example: not 443,22 will trigger on all other ports.

This way if someone is scanning your ports they will be blacklisted and then will never get back in even on your open ports. I manage some large networks and our blacklist grows by around 50k IP addresses per week that are just scanning the internet. With a setup like this you don’t have to worry that much about the servers open ports or its firewall. You can also write to the router log all successful requests and their source IPs if you ever want to double check who’s been getting in.