Security Scans
Security checks are carried out at regular intervals for our managed and unmanaged servers. These checks ensure that there is no unauthorized access to server services.
SSH service
The security check determines whether the SSH service is accessible worldwide. This check cannot verify whether, for example, a password-based login has been deactivated for selected SSH users.
Recommendation:
Regardless of the method of authorization, it should be ensured that the SSH service is not accessible worldwide to prevent any type of attack.
Firewall rule:
| setting | value |
|---|---|
| Direction Type | Incoming Connections |
| Action | Drop |
| Protocol | TCP |
| Destination Port | 22 |
| Comment | Block SSH |
DNS service
The security check determines whether a DNS service is accessible worldwide.
Recommendation:
If you operate a DNS service on your server, you should ensure that it is only made available to authorized clients.
Firewall rule:
| setting | value |
|---|---|
| Direction Type | Incoming Connections |
| Action | Drop |
| Protocol | TCP |
| Destination Port | 53 |
| Comment | Block DNS |
MySQL service
The security check determines whether a MySQL service is accessible worldwide. This check cannot verify whether additional authentication mechanisms have been implemented.
Recommendation:
If you operate a MySQL service on your server, you should ensure that it is only made available to authorized clients.
Firewall rule:
| setting | value |
|---|---|
| Direction Type | Incoming Connections |
| Action | Drop |
| Protocol | TCP |
| Destination Port | 3306 |
| Comment | Block MySQL |
Redis service
The security check determines whether a Redis service is accessible worldwide. This check cannot verify whether additional authentication mechanisms have been implemented.
Recommendation:
If you operate a Redis service on your server, you should ensure that it is only made available to authorized clients.
Firewall rule:
| setting | value |
|---|---|
| Direction Type | Incoming Connections |
| Action | Drop |
| Protocol | TCP |
| Destination Port | 6379 |
| Comment | Block Redis |
Elasticsearch / OpenSearch service
The security check determines whether an Elasticsearch or OpenSearch service is accessible worldwide. This check cannot verify whether additional authentication mechanisms have been implemented.
Recommendation:
If you operate an Elasticsearch or OpenSearch service on your server, you should ensure that it is only made available to authorized clients.
Firewall rule:
| setting | value |
|---|---|
| Direction Type | Incoming Connections |
| Action | Drop |
| Protocol | TCP |
| Destination Port | 9200 |
| Comment | Block Elasticsearch / OpenSearch |
Kibana / OpenSearch dashboards service
The security check determines whether a Kibana / OpenSearch Dashboards service of your Elasticsearch or OpenSearch instance is globally accessible. This check cannot verify whether additional authentication mechanisms have been implemented.
Recommendation:
If you are running an Elasticsearch or Opensearch service with Kibana / OpenSearch dashboards on your server, you should ensure that it is only made available to authorized clients.
Firewall rule:
| setting | value |
|---|---|
| Direction Type | Incoming Connections |
| Action | Drop |
| Protocol | TCP |
| Destination Port | 5601 |
| Comment | Block Kibana / OpenSearch Dashboards |
Add exception for a service
If you want to deactivate the check for a selected service, you can add an exception for the affected service using the ignore warning button.
Optionally, enter a comment to be able to understand at a later date why the check was deactivated.
By clicking on Add exception, the check is permanently deactivated and the security warning is hidden for the server.