VPS Security Scanner
Enter a domain or public IP and get a graded security report in seconds. The scanner checks for exposed ports and databases, weak or expiring TLS, missing HTTP security headers, insecure cookies, information disclosure, and email-spoofing gaps in SPF, DMARC, and DKIM. Every finding is ranked by severity with a clear fix. We only scan public hosts, block private and reserved addresses, and store nothing.
We only scan public hosts - private and reserved addresses are blocked. The scan runs from CtrlOps servers over standard TCP, checks a curated set of high-risk ports plus TLS, headers, and email records, and stores nothing. Only scan servers you own or are authorized to test.
What the scanner checks, and how the grade works
The scan runs from CtrlOps servers and looks at your host from the outside, the same way an attacker would. It groups the results into four areas: exposed services (a targeted TCP scan of the high-risk ports above - databases, container APIs, remote desktop, admin panels), transport security (the SSL certificate and the TLS version your server negotiates), web hardening (HTTP security headers, cookie flags, and whether plain HTTP redirects to HTTPS), and email authentication (SPF, DMARC, and DKIM in your DNS).
Each check returns pass, warning, or fail and carries a severity from critical to low. The overall score starts at 100 and subtracts a weighted penalty for every problem, then maps to a letter grade from A to F. A critical failure - an exposed database, for example - costs far more than a missing low-priority header, so the grade reflects real risk, not a checklist count.
Open ports and exposed databases: the checks that matter most
The single most common serious misconfiguration is a database or internal service bound to 0.0.0.0 instead of 127.0.0.1, leaving it reachable from the whole internet. MongoDB, Redis, Elasticsearch, and Memcached have historically shipped with no authentication by default, and mass-scanning bots find an exposed instance within minutes. The scanner probes a curated set of these ports and flags any that accept a connection.
If a port shows as exposed, the fix is almost always the same: bind the service to localhost, put it behind a firewall or security group, and reach it over an SSH tunnel rather than a public port. When you need to reason about which addresses are public versus private in the first place, the CIDR / subnet calculator breaks down any range.
TLS and certificates: expiry, self-signed, and legacy protocols
The scanner performs a live TLS handshake and reads the certificate your server actually presents. It flags a certificate that has expired, is self-signed (and therefore untrusted by browsers), does not cover the hostname you entered, or is close to expiry - the silent outage that takes a site down at 2am. To inspect a certificate in full - SANs, chain order, fingerprints - paste it into the SSL certificate decoder.
It also checks which TLS version the server negotiates and probes whether it still accepts deprecated TLS 1.0 and 1.1. Those versions are formally deprecated and enable downgrade attacks; modern servers should offer TLS 1.2 at minimum and TLS 1.3 ideally. A green result here means the transport layer is current.
HTTP security headers and cookie flags
A handful of response headers meaningfully reduce your attack surface, and most servers ship without them. The scanner checks for HSTS (forces HTTPS), Content-Security-Policy (contains cross-site scripting), X-Frame-Options (blocks clickjacking), X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. It also inspects Set-Cookie for the Secure, HttpOnly, and SameSite flags, and warns when a Server or X-Powered-By header leaks your exact software version - free reconnaissance for an attacker.
These are usually a few lines in your web server config. If you run nginx, the nginx config generator produces a server block with the right headers and SSL settings already in place.
Email spoofing: SPF, DMARC, and DKIM
Server security is not only about the box - a domain with weak email authentication can be spoofed, letting attackers send phishing that looks like it came from you. The scanner audits your DNS for SPF (which servers may send mail), DMARC (what to do with mail that fails), and DKIM (the signing key), and flags the common gaps: a missing record, a permissive +all, or a DMARC policy stuck on p=none that monitors but never blocks.
These checks run from your browser over DNS-over-HTTPS - the domain is all that is sent, and never to a CtrlOps server. For a deeper email audit, including the SPF 10-lookup limit and DKIM selector probing, use the dedicated DNS lookup + SPF/DMARC/DKIM checker.
What this scan is - and what it is not
This is a fast, external surface check: a TCP-connect scan of common high-risk ports from a single region, plus TLS, header, and DNS inspection. It is designed to catch the misconfigurations that expose most servers, and to do so safely. It is not a full penetration test - it does not scan all 65,535 ports, brute-force credentials, or test application logic, and a high grade is not a guarantee that a host is secure.
One important note: if your domain sits behind a CDN or proxy such as Cloudflare or CloudFront, the port scan reaches the CDN edge, not your origin server. The scanner detects this and tells you, so a clean port result is not mistaken for a locked-down origin. To audit the machine itself, scan its origin IP directly. And only ever scan hosts you own or are explicitly authorized to test - scanning third parties without permission may be illegal.
High-risk ports the scanner checks - and why an open one matters
| Service | Port | Why exposure is dangerous |
|---|---|---|
| MySQL / PostgreSQL | 3306 / 5432 | Direct database access - brute force, data theft, and ransom if reachable from the internet |
| MongoDB / Redis | 27017 / 6379 | Frequently ship with no auth by default - a wide-open door to your data |
| Docker API | 2375 | Unauthenticated Docker socket equals full root on the host |
| Kubernetes API | 6443 | Cluster control plane - a misconfigured one hands over every workload |
| RDP / VNC | 3389 / 5900 | Remote desktop exposed to the internet is a top ransomware entry point |
| Telnet / FTP | 23 / 21 | Plaintext protocols - credentials travel unencrypted and are trivially sniffed |
| SSH | 22 | Reachable by default - harden with keys-only auth and a non-default port |
Frequently asked questions
Related developer tools
CIDR / Subnet Calculator
Calculate network range, mask, and host counts from CIDR notation.
htpasswd Generator
Create bcrypt/apr1 basic-auth credentials for nginx and apache.
DNS Record Lookup + SPF/DMARC/DKIM Checker
Look up DNS records and audit SPF, DMARC, DKIM, MX, MTA-STS, and BIMI - pass/fail with fixes. Runs from your browser via DNS-over-HTTPS.
Find a problem here, fix it on the box.
CtrlOps is a modern SSH workspace for the servers behind your domains - organized hosts, secure key management, and instant terminals. Run the scan, then jump onto the machine in one click to close the port, renew the certificate, or add the headers.
✓ Start instantly·✓ No credit card·✓ No sneaky autorenewals

