this post was submitted on 14 Apr 2026
28 points (93.8% liked)

Selfhosted

58486 readers
526 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
28
Security Scanning (lemmy.ml)
submitted 16 hours ago by Zenlix@lemmy.ml to c/selfhosted@lemmy.world
13 comments fedilink hide all child comments
 

Hey guys. I have a few selfhosted systems that are available to the public. Its getting difficult to notice if any wrong port is still open or some web server is out of date. I am looking for a (foss) tool that can reguarly monitor my systems (via their public ip/domain) and notify me if any port that I not specifically allowed (in a config) is open. Additionally it would be cool if it checked all open ports if they provide out of date software (like webservers) or known security issues.

I found nikto, but it feels like its doing only half of what I want. greenbone feels way to bloated for my use case.

Do you know any kind of software that would do something like that?

you are viewing a single comment's thread
view the rest of the comments
[–] Hippy@piefed.social 4 points 12 hours ago

Proper routers can be used to effectively firewall your services from the net (Cisco/Aruba/Juniper/Fortigate etc). Mikrotik is the cheapest.

For example, on a Mikrotik router in the IP filter rules:
Rule 1 - drop input traffic from a custom blacklist.
Rule 2 - accept input traffic that you want to port forward to your server. Rule 3 - accept established and related traffic (tcp sessions that have passed SYN ACK stage).
Rule 4 - add source IP to blacklist for input traffic that you dont want to port forward to your server. Example: not 443,22 will trigger on all other ports.

This way if someone is scanning your ports they will be blacklisted and then will never get back in even on your open ports. I manage some large networks and our blacklist grows by around 50k IP addresses per week that are just scanning the internet. With a setup like this you don't have to worry that much about the servers open ports or its firewall. You can also write to the router log all successful requests and their source IPs if you ever want to double check who's been getting in.