I have a cron job that runs nmap -p- and pipes the output into msmtp.
Uptime kuma also supports checking tcp ports but you'd have to make a rule for every port.
this post was submitted on 14 Apr 2026
25 points (93.1% liked)
Selfhosted
58486 readers
526 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
shodan.io might help
After I fiddle with the firewall rules (or a system install or major upgrade) I usually only do a quick portscan with nmap from another box. (TCP and UDP; only IPv4 only because I disabled IPv6 completely.) There are online port-scan services too, but you never know if they also invite the bots.
I agree with others here that vulnerability-scanning your own applications seems overkill. Like with external virus scanners, I always feel they are just as likely the attack vector themselves. The more complexity, the more risk.
What I do is:
- Enable unattended system updates (on Debian stable) and automated reboots. And sometimes check if it actually still works.
- Firewall configuration with a whitelist for public ports, and as a second layer:
- configure internal services to listen only on localhost, or to filter access by ip/netmask, and
- put something in front of services that don't need general public access. (A wireguard tunnel, or HTTP basic auth in your reverse-proxy.)
- if you expose ssh to the public, make there is some extra step that prevents you from exposing a test user you just created. I'm using the
AllowUsersuser whitelist, butKbdInteractiveAuthentication noshould be good enough too. If the failed login attempts by the bots bother you, you could run sshd on a non-standard port. - stop services you no longer use, or at least remove public access.
- If you have a complex service that needs to be fully public (say a video conference solution, I wouldn't worry much about a simple static web server) then isolate it from everything else somehow. Ideally on a separate box, make sure it cannot access the internal network, make sure it cannot access any files it doesn't need. And install those security patches.
Something else I always wanted to do (but never got around doing) is to create a simple canary intrusion detection. Like, putting some important-looking "prod" host into ~/.ssh/config and a private ssh key, and configure the target host to send me a SMS instead when this key tries to log in. (Or even shut everything down automatically.) This should prevent me from becoming part of a botnet for months unnoticed, maybe.
Proper routers can be used to effectively firewall your services from the net (Cisco/Aruba/Juniper/Fortigate etc). Mikrotik is the cheapest.
For example, on a Mikrotik router in the IP filter rules:
Rule 1 - drop input traffic from a custom blacklist.
Rule 2 - accept input traffic that you want to port forward to your server.
Rule 3 - accept established and related traffic (tcp sessions that have passed SYN ACK stage).
Rule 4 - add source IP to blacklist for input traffic that you dont want to port forward to your server. Example: not 443,22 will trigger on all other ports.
This way if someone is scanning your ports they will be blacklisted and then will never get back in even on your open ports. I manage some large networks and our blacklist grows by around 50k IP addresses per week that are just scanning the internet. With a setup like this you don't have to worry that much about the servers open ports or its firewall. You can also write to the router log all successful requests and their source IPs if you ever want to double check who's been getting in.
I used Nessus for a while and I heard that OpenVAS could be a good FOSS alternative to it.
+1 for Nessus - pretty comprehensive scans
Greenbone is the foss equivalent to nessus, and it does what you are looking for.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| HTTP | Hypertext Transfer Protocol, the Web |
| IP | Internet Protocol |
| TCP | Transmission Control Protocol, most often over IP |
| UDP | User Datagram Protocol, for real-time communications |
[Thread #237 for this comm, first seen 14th Apr 2026, 20:00] [FAQ] [Full list] [Contact] [Source code]
Its getting difficult to notice if any wrong port is still open or some web server is out of date
This isn't generally done with security scanners unless you're running hundreds of nodes. Use iptables rules with inclusive rules only to block ports. Keep your software inventoried for the rest, or some sort of basic configuration management.
If you don't have these basics, what good is a scanner going to do for you?
Yeah, I agree. Not knowing what ports might be open on a single egress shouldn't happen.