Security Scans

Security checks are carried out at regular intervals for our managed and unmanaged servers. These checks ensure that there is no unauthorized access to server services.



SSH service

The security check determines whether the SSH service is accessible worldwide. This check cannot verify whether, for example, a password-based login has been deactivated for selected SSH users.


Recommendation:

Regardless of the method of authorization, it should be ensured that the SSH service is not accessible worldwide to prevent any type of attack.


Firewall rule:

setting value
Direction Type Incoming Connections
Action Drop
Protocol TCP
Destination Port 22
Comment Block SSH



DNS service

The security check determines whether a DNS service is accessible worldwide.


Recommendation:

If you operate a DNS service on your server, you should ensure that it is only made available to authorized clients.


Firewall rule:

setting value
Direction Type Incoming Connections
Action Drop
Protocol TCP
Destination Port 53
Comment Block DNS



MySQL service

The security check determines whether a MySQL service is accessible worldwide. This check cannot verify whether additional authentication mechanisms have been implemented.


Recommendation:

If you operate a MySQL service on your server, you should ensure that it is only made available to authorized clients.


Firewall rule:

setting value
Direction Type Incoming Connections
Action Drop
Protocol TCP
Destination Port 3306
Comment Block MySQL



Redis service

The security check determines whether a Redis service is accessible worldwide. This check cannot verify whether additional authentication mechanisms have been implemented.


Recommendation:

If you operate a Redis service on your server, you should ensure that it is only made available to authorized clients.


Firewall rule:

setting value
Direction Type Incoming Connections
Action Drop
Protocol TCP
Destination Port 6379
Comment Block Redis



Elasticsearch service

The security check determines whether an Elasticsearch service is accessible worldwide. This check cannot verify whether additional authentication mechanisms have been implemented.


Recommendation:

If you are running an Elasticsearch or Opensearch service on your server, you should ensure that it is only made available to authorized clients.


Firewall rule:

setting value
Direction Type Incoming Connections
Action Drop
Protocol TCP
Destination Port 9200
Comment Block Elasticsearch



Add exception for a service

If you want to deactivate the check for a selected service, you can add an exception for the affected service using the ignore warning button.



Optionally, enter a comment to be able to understand at a later date why the check was deactivated.



By clicking on Add exception, the check is permanently deactivated and the security warning is hidden for the server.