Security Scans
Security checks are carried out at regular intervals for our managed and unmanaged servers. These checks ensure that there is no unauthorized access to server services.
SSH service
The security check determines whether the SSH service is accessible worldwide. This check cannot verify whether, for example, a password-based login has been deactivated for selected SSH users.
Recommendation:
Regardless of the method of authorization, it should be ensured that the SSH service is not accessible worldwide to prevent any type of attack.
Firewall rule:
| setting | value |
|---|---|
| Direction Type | Incoming Connections |
| Action | Drop |
| Protocol | TCP |
| Destination Port | 22 |
| Comment | Block SSH |
DNS service
The security check determines whether a DNS service is accessible worldwide.
Recommendation:
If you operate a DNS service on your server, you should ensure that it is only made available to authorized clients.
Firewall rule:
| setting | value |
|---|---|
| Direction Type | Incoming Connections |
| Action | Drop |
| Protocol | TCP |
| Destination Port | 53 |
| Comment | Block DNS |
MySQL service
The security check determines whether a MySQL service is accessible worldwide. This check cannot verify whether additional authentication mechanisms have been implemented.
Recommendation:
If you operate a MySQL service on your server, you should ensure that it is only made available to authorized clients.
Firewall rule:
| setting | value |
|---|---|
| Direction Type | Incoming Connections |
| Action | Drop |
| Protocol | TCP |
| Destination Port | 3306 |
| Comment | Block MySQL |
Redis service
The security check determines whether a Redis service is accessible worldwide. This check cannot verify whether additional authentication mechanisms have been implemented.
Recommendation:
If you operate a Redis service on your server, you should ensure that it is only made available to authorized clients.
Firewall rule:
| setting | value |
|---|---|
| Direction Type | Incoming Connections |
| Action | Drop |
| Protocol | TCP |
| Destination Port | 6379 |
| Comment | Block Redis |
Elasticsearch service
The security check determines whether an Elasticsearch service is accessible worldwide. This check cannot verify whether additional authentication mechanisms have been implemented.
Recommendation:
If you are running an Elasticsearch or Opensearch service on your server, you should ensure that it is only made available to authorized clients.
Firewall rule:
| setting | value |
|---|---|
| Direction Type | Incoming Connections |
| Action | Drop |
| Protocol | TCP |
| Destination Port | 9200 |
| Comment | Block Elasticsearch |
Add exception for a service
If you want to deactivate the check for a selected service, you can add an exception for the affected service using the ignore warning button.
Optionally, enter a comment to be able to understand at a later date why the check was deactivated.
By clicking on Add exception, the check is permanently deactivated and the security warning is hidden for the server.